Tag Archives: business

IT Risk Management Lessons Learned

From Tom Scholtz’s presentation at Gartner Security & Risk Summit 2013 on lessons learned in IT Risk Management:

  • Understand that there is a limited appetite for risk management as a topic by business users (ie, don’t overdo it)
  • Ideally, risk assessment is performed on business processes (vs IT assets or services)
  • Risk interpretation is personal — there is no correct answer
  • Don’t try to use only one risk assessment method for all assessment scenarios — one size does not fit all
  • Don’t use security & risk operational metrics when communicating risk to leadership — convert them to business objectives
  • Risk affinity for individuals and organizations changes over time
  • In many IT risk cases, quantitative risk analysis is impossible (because of lack of relevant actuarial data)
  • In the quest to simplify, don’t try to roll up multiple independent risks into one metric
  • Always link risk management activities to business objectives
  • Focus on risks that we can do something about

Finally, while possibly an unpopular sentiment amongst some practitioners, risk should be treated more like an art than science, where the focus is on gaining and documenting experience* and continuous improvement.  *(See my post Inverting Sun Tzu).

Poorly Defended & Under Attack — SMB’s in the Spotlight

Cyberattacks on Small and Medium-sized Businesses (SMB) continue to grow, causing damage to the individual SMB’s as well as the international business network infrastructure itself.

Why attack SMB’s ?

SMB’s are under increasing attack for several reasons:

  • They are often poorly defended because of resource constraints
  • The are typically connected to other SMB’s and larger organizations, providing an attack path (or ‘attack vector’) to other businesses
  • There are a lot of them

Simply because of their size, SMB’s are typically poorly defended because they are resource constrained and don’t have the IT and/or security expertise on staff.

A recent UK survey showed only 14% of SMBs thought that cyber security threats were of highest priority and felt that they had sufficient skills and resources in place to manage the threat.  In another study commissioned by Microsoft, AMI-Partners found that of Involuntary IT Managers (non-technical staff assuming technical duties) surveyed:   

  • 30% thought IT management was a nuisance
  • 26% did not feel qualified to manage IT
  • 60% wanted to simplify their organizations IT systems to make their management more feasible
SMBs are easy and lucrative for attack

SMBs are easy and lucrative for attack

The AMI-Partners survey was of 538 Involuntary IT Managers across 5 countries in companies of 100 employees or less.  The survey also found an aggregate loss of over $24 billion due to inefficiencies stemming from the Involuntary IT Manager not performing their primary job duty.

Another reason for targeting SMB’s is that their interconnectivity with other businesses can provide an attack path to larger businesses.

Finally, there are a lot of SMB’s  .  In industrialized countries, a few very large companies live side by side with many small and medium-sized companies.

 What to do about information security and risk management in SMB’s ?

That, then, is the question.  The resource constraints that SMB’s face aren’t going to magically disappear anytime soon.  Should the government assist? Or conversely, should that security and risk management be a cost of doing business for the SMB?  Should SMB’s face penalties for insecure environments or poor infrastructure support practices? Will that stifle innovation?

I lean towards a hybrid solution where the SMB is responsible for knowledge and awareness of itself and its information risks, but I would like to see the government make resources available to SMB’s (or support industry groups to do the same).  These resources could include:

  • simple guidelines and minimum configuration standards.  (Some of the current policies and directives are so convoluted and difficult to read as to be impossible to implement.)
  • simple asset inventory tools
  • network mapping tools that assist SMB’s with self-documentation
  • simple penetration test tools coupled with results analysis tools
  • simple risk management tools

SMB’s themselves, professional organizations/networks, or governments must find a way to better educate and prepare SMB’s.

  • How do you think SMB’s should manage their IT & Information Management systems?
  • What do you do to protect your business?  
  • Do you actively manage information risk?
  • Do you turn it over to someone else?
  • How well do you understand your exposure to cyber attack and compromise?
  • Do you avoid altogether because it’s simply overwhelming?

Lions and Tigers and Bears

In this age of exponentially growing information risk, we can become like Dorothy was early in her journey and focus only on the things that can go wrong. We can get so caught up in what can go wrong that we forget to take inventory of what needs to go right.

Lions and tigers and bears ...

Lions and tigers and bears …

Over lunch recently, a friend of mine with a career in risk management shared a helpful perspective on this.  Instead of always approaching risk as trying to think of everything that can go wrong, think of what must go right first. That might sound like two sides of the same coin, but I think it is more than that. This approach helps to prioritize efforts and resources.

It’s easy to get caught up in trying to create an exhaustive list of everything that can go wrong. A problem with this is that it can:

      1. be overwhelming to the point of analysis paralysis, and
      2. tend to identify risk that may not be relevant to your situation. 

There are some risks that may not be immediately pertinent to you. For example, the latest specification for encryption for data at rest for DOD contractors might not be at the top of your list.  However, having an always-on internet connection so that you can make company website updates might be.

Take the hypothetical of a bike shop with three stores.  Some things that must go right for the owner might be:

  • Internet connection constant for running credit cards
  • Customer information (to include personally identifiable information) retained for billing and marketing and only accessible by authorized employees
  • Bookkeeper has secure connection to financials from outside the stores
  • Safe, secure workstations available 6:00 am – 6:00 pm for employees
  • 24/7 access to current inventory across all stores

These are some pretty basic requirements, but they help to prioritize need. By looking at these requirements for things to go right, what are things that can prevent this from happening? What’s the risk of loss of internet connection? Are we sure that customer information is available to only authorized employees?   What kind of connection is the bookkeeper using? Do the workstations have regular anti-virus updates? Are there policies/guidelines on workstation use by employees? If the computer with the store inventory fails, is there backup? How quickly does it need to be recovered?

In spite of the risks of lions, and tigers, and bears, Dorothy was able to return to her mission and seek the Wizard. We must do the same and not lose sight of our business objectives in our analysis of the lions and tigers and bears.


Can you name 5 things in your organization that must go right for you to be successful? What vulnerabilities do these objectives have? What threats do they face?