Additional security almost always involves additional expense. As this does not directly generate income, it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms.
Productivity: Audit/Review Savings
A Risk Analysis programme should enhance the productivity of the security or audit team. By creating a review structure, formalising a review, pooling security knowledge in the system's "knowledge base" and utilising "self-analysis" features, much more productive use of time is possible. The ability to 'build-in' expertise should also alleviate the need for expensive external security consultants.
Breaking Barriers - Business Relationships
Security should be addressed at both business management and IT staff. Business management are responsible for decisions relating to the security risk/level that the enterprise is willing to accept at a given time (which involves consideration of potential business impact). IT management are responsible for decisions relating to specific controls and application.
Risk Analysis should not only direct appropriate information at each group, but play a major and pro-active role in enhancing the understanding of the needs and role of the other. It should bring the two groups closer together.
Risk Analysis should relate security directly to business issues.
The Risk Assessment system should be simple enough to enable its use without necessitating particular security knowledge, or indeed, IT expertise. This approach enables security to be driven into more areas and to become more devolved. It enables security to become part of the enterprises culture, allowing business unit management to take more of the responsibility for ensuring an adequate and appropriate level of security.
The widescale application of a risk assessment programme, by actively involving a range of, and greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise.
Targeting Of Security
Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in excessive or unnecessary expenditure. Risk Analysis promotes far better targeting and facilitates related decisions.
This not only applies to which areas of a particular system resources should be directed to, but which business systems. Through the application of Risk Analysis across multiple business unit, it is possible to quickly establish the areas of greatest risk to the enterprise as a whole.
'Baseline' Security and Policy
Many enterprises require adherence to certain 'baseline' standards. This could be for a variety of reasons, such as legislation (eg: Data Protection Act), enterprise policy, regulatory controls, etc. The Risk Analysis methodology should support such requirements and enable rapid identification of any failings.
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different applications, but different types of business system.
It should also embrace those systems not under the direct control of IT management....paper based systems, PC Systems, or systems utilising other office equipment.
By obtaining information from different parts of a business unit, a Risk Assessment aids communication and facilitates decision making.
There are also a number of other important, but less tangible, benefits to be accrued via the application of Risk Analysis.
It can be seen that the potential benefits to be accrued via the application of a Risk Analysis methodology are substantial.
"Problems aside, we are rapidly approaching a situation where risk management is no longer an option. In a highly competitive business environment, companies cannot afford to have costly or inappropriate security. Effective risk management can be nothing less than the defence of company profitability." - Dr P G Dory, former Head Of Information Security, Barclays Bank PLC