I had the opportunity yesterday to participate on a panel discussing risk management at the Technology Executives Club in Chicago. I met a lot of interesting people and wanted to thank the TEC for the invite.
One of the recurring subjects at the event was the prioritization of risks. Of the 100 things you currently have on your plate, how do you decide what is the next issue to work on or address? Without trying to downplay or simplify the issue, this seems to me to be a basic risk management question. While managing information security risks can be as much art as science, in its simplest form, a risk is its potential impact multiplied by its likelihood. Given that result, you can make decisions to accept, mitigate or eliminate the risk based on cost (of all kinds). Of course this is a simplified view of things, and each risk certainly contains tough to quantify gray areas.
I think the real issue here is bad data. In industries such as insurance, actuaries have the ability to rely on good data from the past in order to predict the likelihood of certain events in the future. This ‘good data’ doesn’t really exist in information security today. The one report that is continually brought up on this subject is the CSI / FBI Survey. I think Bruce Schneier summed up this report best. Security professionals do not have large amounts of accurate data to rely on, making the likelihood portion of the risk management equation difficult at best.
Updated 2/26: Updated to add link to webcast of panel I participated in.
