Pragmatic information risk management (part 1)




As IT becomes increasingly complex, as the threat landscape becomes ever more sinister, and as we have grown critically dependent on information, a pragmatic approach to managing information risks and security becomes not just valuable but vital.  It's existential - a matter of survival.

The pragmatic approach involves adopting a realistic and practical perspective when identifying, evaluating and deciding how to address information risks, balancing the need for protection against maintaining smooth business operations.

It starts with a clear appreciation of the value of information to the organisation, with implications for the associated systems, flows, activities, risks and controls. Aside from being literally impossible to eliminate risks, it makes sense to focus our attention and finite resources on the organisation's priorities - specifically, its strategic business objectives - and the associated information.

At a superficial level, it's blindingly obvious that, for example, customer accounts information is of great value to a bank, safety-related info is critical to a mining or explosives company, while product and production data are critical to any manufacturer. Scratch even a little deeper, though, and it's hard to know when to stop. Every organisation has valuable information on its finances, its people, its processes, its strategies, its markets, its suppliers ... all interdependent, all important to some extent. A serious information incident way down in the bowels of the organisation or elsewhere in its supply chain might bring the whole edifice tumbling down but that's much less likely than for even a trivial issue with business-critical information. 

Cue: Business Impact Analysis and Business Continuity Management. They tell us what we need to know about the criticality of business activities, relationships and information.

BIA helps us focus on the information that matters the most to the business. Although of course we can't totally ignore other information, we have a clear steer, a pragmatic starting point.

[More to come after a break to let that first little bit sink in.]