Adding up

Risk calculation is essential but to be successful it must be an ongoing process, not a periodic snapshot.

Risk calculation and mitigation is pretty much the first thing that enterprises need to do when they want to get an accurate idea of how much and where they should invest their security money.

"Business decision-makers always look to hard numbers whenever a budget is requested.

 

They would like to see clear dollar values associated with the risk claimed to be out there, along with a clear RoI model linked directly to the business. Additionally, it is very difficult, nearly impossible, to be sure whether the investment put in place is really making sense to the business, or not, without realising the potential losses.

Therefore, calculating the risk becomes a necessity as part of the risk management process," says Ahmed Etman, security business development manager at Cisco Middle East.

Guru Prasad, general manager for networking at FVC agrees: "Risk assessment is absolutely essential. IT managers have to do that to be able to justify to their senior management security spend.

Basically that is the way to tell the CEO that if you don't invest in technology, these are the risks that the business faces. They have to do that assessment before the top management can say ‘yes go ahead and spend that money.'

That is one of the things we have also seen that IT managers struiggle with - how to justify spending on IT and the answer is simple - just do risk assessment. It is like selling insurance; unless you are really told what could happen or something really happens to you, you never think about buying insurance.

The same concept applies when buying security products and solutions.

Apart from helping IT managers and higher management plan the security budget more accurately, risk assessment is essential for enterprises to understand the threats that are likely to visit them and acts as a reliable guide to fashion policies to prevent or subdue attack vectors.

In spite of the obvious necessity of risk assessment, many Middle East enterprises remain either ignorant of the concept or shy away from the prospect of using it to advantage.

"We cannot deny that the majority of enterprises in the region are still in their infancy when it comes to such disciplines in information security management practices; however, the progress is certainly obviously moving in the right direction.

Over the last few years, several organisations, mainly in the government sector, have been heavily focused on creating security and risk management frameworks," says Etman.

In the Middle East, probably less than 25% of enterprises do risk assessment.

A lot of them are working on standards such as ISO 27001 but I don't think they are necessarily connecting security to business functions. Of this 25%, I would say less than 10% understand the concept and think and manage the organisation from a risk perspective," states Jeff Ogden, director of consulting at MENA for Symantec's global services.

It is essential that Middle East enterprises not only understand the importance of conducting risk assessment but also put in place the right processes for getting the most out of the procedure.

Understanding risk

According to Symantec's recent white paper, many people confuse threats and vulnerabilities with risk.

To be at risk, an organisation needs to be subject to a threat that is able to exploit a vulnerability and then go on to cause an impact on some system or process that it is operating. All three elements: threat, vulnerability and impact need to be present for you to be at risk.