Risk Management – Not Risk Avoidance

There is a commonly held misconception about risk management and, where this relates to security risk management, it is even more widespread, frequently to the detriment of organisations and businesses.

Risk Management is not the same thing as Risk Avoidance and no matter how well you manage your risks, sometimes the bad thing will happen.

At its most basic level, risk management is about identifying what risks you (or your business) faces and coming up with strategies to minimise either the likelihood that the risk is realised, or the impact it causes should it happen.

This is a good thing and, over the years, has allowed businesses to take calculated gambles (exposing themselves to risks) in the knowledge that the overall pay off will be beneficial and that if it all goes wrong, they have some cushioning. This is a common sense approach – so common sense in fact, that we use it day in, day out in our every day lives.

However, when it comes to security risks, people throw common sense out of the window and develop unrealistic, impossible expectations.

As if this wasn’t bad enough, the impossible expectations then create a culture where security incidents are looked at as a catastrophic failure of Risk Management (they arent) and scapegoats are hunted down to be blamed for allowing this “risk” to go unchecked.

Taking this approach is very poor business management, and if it takes place in your organisation you should  immediately start working to improve your corporate culture.

Very recently, Halkyn Security was approached by a potential client asking how much we would charge to conduct a security survey on a 3rd party supplier. This is bread and butter security work, and essential for any organisation that relies on suppliers or outsources its processes. However, when we discussed the scope and requirements with our potential client , one thing stood out.

The potential client was adamant that our security survey should be able to determine that there were “no risks from using that supplier.”

This is fundamentally impossible and I tried to explain this to the potential client several times but got nowhere. They were convinced that if we assessed against their security policies it was possible for us (and backed up by our insurance…) to make the statement that there were “no risks.” To make matters worse, we were the third consultancy they had contacted for the tender and both the others had agreed to this clause. Needless to say, we refused to tender a quote under those terms and I assume one of the others has the business now.

At first glance, this might seem like a trivial point but it boils down all the way back to the basic tenets of Risk Management and the fact that everything carries risk.

There is always a risk in using a third party supplier. No amount of supplier assurance makes that risk go away. While it can reduce the risk to a level you find acceptable, this really is not the same thing.

We could spend 10 years reviewing documents, interviewing staff, surveying property, we could mount surveillance on all employees to determine if their behaviours posed a risk, we could background check all their grandparents and the families of their friends. None of this would ever put is in a position where we could say there was “no risk” from using them as a supplier.

The best situation you can ever be in is knowing that at this exact moment, the most likely risks are identified and have been reduced to acceptable levels (by implementation of controls etc).

As you can see, even this has lots of caveats – but there is no other way, short of lying, to get a better position.

Even where this is sort of understood by businesses, but not fully part of the organisational culture, there remains the problem that once a risk is realised (the bad thing happens), executives without a good understanding of risk management assume that this is a failure of risk management. As mentioned before, it nearly always isn’t.

If you identify a risk (say an asteroid landing on your factory), you assess it and end up deciding it is a very low probability (say 0.0001%), you may – quite rightly – decide that it isn’t worth spending very much money controlling the risk. This is very good risk management.

However, the world is a big place. Low probability risks still happen (people win the lottery…) so you have to be prepared for the worst – however, this is where Incident Response / Incident Management takes over, it is nothing to do with Risk Management.

Once everything is resolved, and the incident closed down, it may be the case that the investigation reveals a risk that hadn’t been identified in the risk management phase – in which, it is a failure of Risk Management – but if the risk has been identified, it is a big mistake to assume that because something happened it must be a “high probability” event.

We sort of understand this in every day life – a worked example is when you are driving an turning out of a junction; you can look both ways, check the exit is clear for your car and that there are no pedestrians, however in the moment when you begin to manoeuvre there is still a risk (a porsche may be coming up at three times the speed limit into your blindspot) but we accept this as part of the general risks around life.  We can implement additional controls to reduce the probability this will happen (blind spot mirrors) or the impact should it happen (seat belts, airbags etc), but the only way we can drive the risk to ZERO is to not drive.

This is an important lesson for every business. Most of the time, the only way you can fully terminate a risk (reduce it to nil / zero, whatever) is to cease doing the activity. If the activity makes your business a profit, this is rarely an option…

As a final issue – think about how you deal with incidents once the shouting has died down.

One of the main ways businesses waste money on security is dealing with the last incident that happened rather than adopting a sensible, controlled, risk management strategy that prioritises risks instead of reacting to recent events.

Do not get fixated on the last hack, the last break in, the last disgruntled employee, instead look at the patterns. Develop an understanding of the probabilities that certain events will happen – and most of the time this is not even close to being an exact science – and come up with strategies to minimise the risk.

The golden rule of Security Risk Management

Never expect a risk to be eliminated unless you have also fully terminated the associated activity. 

Anything else is just going to cause you problems – possibly more problems than the risk or incident…

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.