Data breaches are serious and very real threats in today's digital world, and no industry sectors are immune. In the medical sector alone, the cost of client data breach liability, expense, and settlements surpassed the same costs from medical malpractice. Securing data and minimizing the probability and impact of data breaches is at its core a risk-based endeavor.
While many businesses have recognized the need for risk assessment and management, there is still a tendency to treat risk assessment and managements as "checkbox" exercises. For a risk management program to provide true benefit, several things are required:
- An enterprise-level risk management practice. This is NOT your IT risk management team – it is a standalone and empowered practice that operates at the CXO level. This team is focused on business alignment.
- An IT-level risk management practice. This team is focused on the application and testing of applicable risk management frameworks and the controls associated with those frameworks.
- Certified and qualified risk management professionals. There are several industry certifications available. CRISC (Certified in Risk & Information Systems Control) and CRMP (Certified Risk Management Professional) are examples. They both require hefty amounts of continuing education, which is critical, given the moving target that cybersecurity has become.
Too often we see businesses with some partial combination of these elements, but we rarely see them address the complete picture.
4 Ways to Approach Risk
Risk assessment doesn’t need to be an enigma. Once risks are identified, they can only be dealt with one of four ways, with the selection for each risk factor to be determined with a business-alignment mindset:
- Accept the risk. This is appropriate for risk factors with low probability and low impact.
- Avoid the risk. Patient: "Doctor, my arm hurts when I do this!" Doctor: "Well then, don’t do that!" In all seriousness, this means that the organization shouldn’t engage in business activities not aligned with their primary mission or outside their area of primary expertise. This is appropriate for risk factors with high probability and high impact.
- Transfer the risk. This is appropriate for risk factors with low probability but high risk. Examples are insurance policies and outsourcing of high-capital expense or high-expertise elements such as data center services. (Disclosure: I work for Lifeline, a provider of data center facilities and services.)
- Mitigate the risk. This approach is appropriate when the high probability but relatively low risk. Additionally, if you happen to be a service provider that other organizations transfer risk to (like a data center provider) you are the last stop for risk, and you must find ways to mitigate it.
Obviously, the parsing of risk factors into their appropriate action buckets is a complex process requiring knowledge of the threats themselves, the technology involved, business alignment, vendor capabilities, actuarial data, etc.
Clearly, the ones that avoid it or accept aren't setting themselves up for success. Being proactive instead of reactive is key to ensuring you cover as many vulnerabilities as possible.
On the other hand, many businesses realize they don't have the staff, objectivity, time, or the money to allocate to risk management. These can be barriers to success, along with the other ego factors, including politics, turf wars, and ambition. Therefore, the most popular option out of these four is transferring that risk onto someone else, which effectively takes care of option number four: mitigating risk altogether.
The biggest benefit of this option is that hiring outside help can be the most cost-effective option, given that the cost of attracting certified risk management professionals and getting certifications for your business could be upwards of $1 million. And it takes time and resources, which translates into overhead costs. When in doubt, I always recommend transferring the responsibility to mitigate risk more effectively.
Implementing Risk Management
Before you can develop a risk management practice that makes sense, you need to assess where you currently stand. Instead of trying to assess the situation yourself, it's important that you hire a third party to complete a risk assessment of your business that spares no detail. Thoroughness is an advantage; the more you know, the more you can mitigate risk.
The next decision you need to make is whether or not you want to eat the cost and handle it internally, or if you want to transfer that risk to an outsourced party.
Finally, regardless of whether you keep it in-house or transfer your risk, you do need to dedicate resources to your risk management practice so you can mitigate vulnerabilities as much as possible.
The consequences of not understanding and addressing your risks can be dire - from not being able to attract quality talent to destroying your reputation and credibility to going out of business.
Are you risk-ready?
This article is published as part of the IDG Contributor Network. Want to Join?