Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=229000951
A risk-based approach to security shows the cost of mitigating risks relative to the perceived value of an asset, in the context of vulnerabilities, threats, and potential impact on the business. Sounds straightforward enough, and our survey respondents talk a good game: 41% say a main goal of their IT risk management programs is to ensure IT alignment with business needs.
From our experience, however, there's some wishful thinking going on. Rarely do the companies we work with even have a comprehensive asset list, let alone any consistent risk-based analysis of assets or controls. In addition, a plethora of risk-based models--AS/NZS ISO 31000:2009, ISO 27005, COSO, OCEG--get caught up in religious wars over which is best. Within these models is a variety of approaches, including data-centric security; enterprise risk management; information risk management; and governance, risk, and compliance.
The devil really is in the details. To base a security management approach on risk, you must know how any given asset is valued, the likelihood that a threat will exploit a vulnerability, and the impact to the business if a given asset were to be compromised. And you must accept that not everything can be fixed. When managing risk, IT has several mitigation options to consider: reduce, transfer, avoid, or accept. Be realistic. For the time being, you may have to transfer, avoid, or accept risks that you would prefer to reduce. This is where being able to assess the value of a service and the costs of possible controls is invaluable.
Most of all, don't get bogged down. All of today's risk standards have the same core components. Fighting over which to use ensures just one thing--that you won't make progress. You can always change later if it turns out an approach is too complex or another framework is more relevant for your company. Just pick one and get going.