Security Risk Management – Standing Still is Moving Backwards

The world turns, things change and new security risks continue to appear on the scene. Some organisations bury their head in the sand or cross their fingers. ‘It wouldn’t happen to us’ is their motto. Others make plans using different approaches, some better than others. Then they leave the plan untouched without updating it and expect it to hold good. Is such a policy ever justified? Do new threats mean that traditional security principles should be revised? And where should you start if you want to improve your own security risk management?

People are still at the heart of security risk management. No matter what security you build into your systems, it only takes a moment of carelessness by a human being to let slip a password or leave open a building access that starts a security chain reaction. Good security starts with good security awareness, which in turn starts with senior management. Yet in many organisations, C-level executives are often ignorant of the potential threats. While they may be fast to act when an incident or breach occurs, their contribution is often reactive instead of proactive. In this case, it’s no wonder if the rest of the personnel think the same way. But building awareness at all levels is also a continual activity. If you just do it once, then a little later, it’ll be like you never did it at all.

For effective awareness, security risk management needs a solid base. A number of key security principles are immutable. However, the inventiveness of hackers and criminals means that there will always be new holes that need to be plugged. ‘Advanced persistent threats’, ‘spear phishing’ and cloud data leaks are a few examples. Regular reviews and planning updates are crucial to keep security risk management operating correctly. Remember also to refer back to key principles as each new threat is identified. This lets you avoid being driven by ‘flavour of the month’ policies that only skirt around the real issues in security, instead of addressing them directly.