Monday, January 26, 2015

Risk & Reward

I think we have all heard the phrase, "no risk, no reward".  I think not only does it apply to life in a general sense...asking out that special someone or taking on new challenges...it also applies to the IT world as well. Specifically in the infosec arena. 

While generally risk might imply, death and destruction (ok, maybe not that bad), it isn't always doom and gloom. A lot can be learned from things like risk identification inside an organization. 

We (I am assuming here) have all heard of something called risk management. Essentially, managing the risks to the company or organization. This is a critical component in managing IT in all it's glory and splendor. 

But why is it a good thing, what does it have to offer? One thing that comes to mind is knowledge. Learning the company (the self) and learning your enemy (the hackers or the threats that come from the outside). Much like General Sun Tzu's words of "know the enemy and know yourself". 

Going through a risk identification process, which is the self-examination process that can identify the organizations assets and classify them by importance. Giving value to everything, every moving part....allowing then for that threat identification to come to fruition.

Oh my! I know admitting it is the first step right...probably hard for an organization to actually admit their threats or weaknesses. But necessary in order to protect their assets. Detecting their vulnerability and planning from there. The possibly of consequences or percentages of risks mitigated, etc. 

And again we go back to knowing the enemy and knowing the self, how much more useful things like a risk analyst would be in order to protect the self from the enemy. Hence without taking that risk of knowing the self (faults and all), the reward of protecting the self from the enemy can't happen. And possible bad things could happen on a much broader scale than if an organization had put in the time to actually analyze their assets and weaknesses (knowing the self). 

Because there really is a lot of information on risk management, risk identification, etc. here are a few links to have a look at for more information. 

Risk Management: https://www.theirm.org/about/risk-management/
Risk Identification: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-identification

Stay safe out there (and if you feel like it, try something new..remember risk & reward, unless it's illegal...don't do that)


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)