Security is the pursuit of perfect protection through ongoing tightening of defenses and preemptive activities to cover vulnerabilities. Risk management, on the other hand, is a discipline that enables organizations to operate and measurably improve their security and compliance environments according to legal standards.
Most companies are not accustomed to thinking of information as a regulated asset. Ingredients and food products, energy, toxic chemicals, infrastructure, and money are among the many assets that have been regulated for decades, or even centuries. Yet, executives and entrepreneurs are obligated to see information as a regulated asset.
They have to adjust to the idea that there will be procedures similar to governing other regulated assets – having an internal auditor, quality process engineers, peer review, attorneys, independent reviews, etc. – with regard to information. There must be controls and certification in a way that makes sense for their own specific businesses.
According to current legal standards, the best means of being in compliance is to have a clearly defined level of reasonable risk, and clear procedures that the company implements on a consistent basis.
In the unlikely event of a breach, this level of risk management should enable the business to demonstrate empirically that it was not negligent. There must be a quantifiable way to state a company’s acceptable level of risk in terms of impact and likelihood. Impact is defined according to the company’s mission, objectives, and obligations. The standard must be applied consistently across all of the company’s information assets that could pose a conceivable risk.
If a company can clearly articulate and calculate its level of acceptable or reasonable risk, and thereby operate in a manner that demonstrates compliance, it may be protected enough to forgo more complicated and expensive security measures, thus freeing up resources that can be invested in the creation of value for the business.
Thus risk management is necessary not only to fulfill regulatory requirements and contractual obligations, but the very essence of the company’s business goals. Having a clear risk assessment and risk management process ultimately will make running a business easier.