Skip Links

Why risk management fails in IT

By Richard Stiennon, chief research analyst, IT-Harvest, special to Network World
October 16, 2012 09:25 AM ET

Page 3 of 3

What to do? Use threat management techniques, not risk management.

Consider if the U.S. president's morning intelligence briefing was focused on risk management.

It would have to take into account the 40 or so U.S. facilities that are involved in the production of nuclear weapons, then there may be the 250 or so diplomatic missions around the world, and of course the U.S. military bases (you count them), and maybe a breakdown of the 17 designated critical infrastructure sectors, not forgetting national monuments.

Ridiculous, of course, because a true risk management report would summarize all of that information into a simple score. A vast army of risk auditors would be engaged to come up with a uniform scoring system and every "asset" would be given a score which would be weighted and rolled up into a dashboard that gave a single-pane-of-glass view into overall risk every day.

But if such a thing were even possible, what would it have shown the day before the USS Cole was attacked? Or on Sept. 10, 2001?

Of course an intelligence briefing is not about assets; it is about threat actors. Intelligence is gathered about their intentions, capabilities and movements. Decisions are made based on threats. Real and present dangers are identified and resources are deployed to gather further intelligence (detect), deny, disrupt, delay, degrade, deceive or destroy the threat actors.

That is the basis of threat management, an approach that is proving to be much more effective at reducing the losses from targeted attacks.

Stiennon is chief research analyst at IT-Harvest. He recently launched IT-Harvest Press to publish nonfiction books. The first in a series of books on the analyst business, "UP and to the RIGHT: Strategy and Tactics of Analyst Influence," was published in July to great acclaim. A new book, "Wide Open Privacy," will be published in November 2012.

Read more about infrastructure management in Network World's Infrastructure Management section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News