Risk in the context of security is a discussion unto itself, and one that we will address in greater detail in a later post. For now, I simply want to address why it is one of the core principles in Intellinet’s approach to security.
First, let me clarify what I mean when I say “risk”. I am partial to the following broad definition of risk, based on ISO 73:2009: risk is the “effect of uncertainty on outcomes.”
I like this definition because it highlights arguably the most common trap that businesses fall into, as it pertains to risk: the ultimate goal of risk management is not the management of risk; that is circular and illogical. The ultimate goal of risk management is the delivery of intended outcomes.
In other words, risk management is not an end in itself; it is a means to an end.
It sounds obvious, but when certain types of risk are considered, for example the risks associated with compliance and audit requirements, those very often do become an end in themselves. Large businesses in regulated industries often find that compliance has become the center of the universe, around which everything orbits. As we will explore in other blog posts, compliance has little to do with security, much less business innovation, and this perspective often begins with an incorrect view of risk.
That said, understanding and quantifying risk is essential for effective security prioritization and investment. You simply cannot align your security investment strategy with the organization’s overall strategic goals, nor can you govern security effectively, without a clear understanding of risk.
It’s surprising then that one-in-three security departments have never conducted any sort of formal risk assessment. Consequently, as we consult with large and small businesses alike, we often find that their investment in security technology is not aligned with, and does not adequately address, the most significant risks to their business.
If risk management isn’t already a fundamental part of your approach to security investment and governance, we can show you where to start. For those that already approach security from a risk-informed perspective, but feel that things have become unbalanced (for example, the culture has become so risk-averse, or so focused on compliance, that it inhibits innovation and gets in the way of the business), we can show you how to restore a healthy equilibrium.