Skip Links

Three simple rules of risk management

Knowledge of risk factors goes a long way in protecting data

Security Identity Management Alert By Dave Kearns, Network World
October 23, 2009 11:54 AM ET
Kearns
Sign up for this newsletter now!

The foundation for security and enterprise management

Network World - Chris Sullivan, Courion's vice president of customer solutions, recently posted a blog entry about risk management. In it he quotes Warren Buffett, the world's richest man and undisputed king of practical risk management who once said, "Risk comes from not knowing what you're doing."

While that's a bit trite for my taste it is, nevertheless, worth remembering. Just as long as you know that the converse isn't true: knowing what you're doing does not remove the risk. Knowing what you're doing can help mitigate, or alleviate, the risk but it rarely removes all of the risk. Still, it's important enough that we could say the first rule of risk management is: Know what you are doing.

If you know, for example, that you are loading people's names, ID numbers (Social Security, national health, credit card and so on) and other information as clear text to a laptop computer (or, probably worse, to a memory stick) then logically you should realize that the risk of releasing that data into the wild is very great. That would be rule No. 2: Know the risk involved with what you are doing.

Once you are aware of the risk involved you would -- hopefully -- take steps to reduce the risk such as encrypting the data or, even better, not taking it outside of the firewall. There's rule No. 3: Take steps to remove as much risk as possible. 

As Sullivan says about the Buffett quote: "How simple is that? You can have all of the risk management frameworks that the big four can sell you but if you don't know who has access to what, you can't assure access, can't manage risk and you can't assert compliance to virtually any regulations. Hell, you don't even know what access to remove when someone leaves your company."

It's not rocket science, and it can be very simple as long as you remember the three rules:

1. Know what you are doing.

2. Know the risk involved.

3. Remove as much risk as possible.

Obviously, there's a lot more to risk management than that but by simply following those three simple rules many, if not most, data breaches and leaks of the past few years could have been avoided.

UPDATE: Last week I mentioned the new functionality of Oracle's ESSO client. Now a little bird tells me that this is little more than a re-branding of Passlogix' v-GO On Demand Edition. So you have a choice.

Read more about security in Network World's Security section.

Dave Kearns is senior analyst for Kuppinger-Cole and editor of IdM, the Journal of Identity Management.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News