Senior managers in the private and public sectors are increasingly aware of the risks that affect the achievement of their objectives, and the complexity of putting plans in place to mitigate those risks. For IT leaders, an understanding of these issues is essential to supporting the business.

The potential concerns are multiple and varied. Vital information is at risk from technological threats such as viruses and hackers, and human elements such as errors and insider fraud. The growing regulatory burden makes risk management a central part of good corporate governance. And external threats, such as floods, natural disasters and even terrorism, make business continuity a critical part of any strategy.

Two recent Computing web seminars, in association with BT, examined the best practices in managing risk and how they relate to IT. Our panel of experts answered viewers’ questions and here we present their answers.

Our experts were:

• Mark Hughes, director, BT Group security.
  
• Raj Samani, vice president of communications for the Information Systems Security Association UK (ISSA UK).
  
• John Walker, chief technology officer at Secure-Bastion, and chairman of the ISSA UK expert technology panel.
  
• Ray Stanton, global head of BT’s business continuity, security and governance practice.
  
• Clive Longbottom, service director at analyst Quocirca.

Our biggest problem comes from false confidence from senior management ­ there is a tick box mentality whereby auditors say it is a good process, but it is not part of the culture of the organisation. How do we overcome that?

MH: Risk management and its accreditation is only as effective as the systematic analysis of where those controls are not working. A lot of the accreditation and activity that goes around achieving standards should be viewed as a baseline. You need to understand the risks that mean you will not be able to consistently achieve those standards.

Then, and this is the most important part, you must really be able to take the evidence that you have – ­ such as management information systems to collect data and analyse it systematically ­ – and improve risk management plans as you go forward. It is that systematic analysis of how things go and what the actual evidence is that needs to be taken on board.

RajS: Unfortunately, one of the ways to shake people out of a tick-box mentality is for things to go wrong. The retailer TK Maxx was a fantastic example, where millions of dollars were spent as a result of a data breach. Hopefully it will not get to that and you just need to try to communicate this in a language that will make people take notice and do something about it.

People often suggest the private sector is less bureaucratic and more agile than the public sector. Is it simply a case that we find out more about what happens in the public sector than the private? Is there a need for more regulation here?

RajS: Sometimes you can “bury the dead” in the private sector. There are examples, such as Nationwide Building Society, that are disclosed but, by and large, in the private sector there is more of an opportunity to bury bad news.

In the US there is a data breach notification law and it was found that people are becoming numb to the problem, because they are receiving so many letters from organisations saying there has been an issue.

JW: At the Financial Services Authority, which regulates the finance sector, the emphasis is on companies to report problems. But I have seen a number of occasions where there is internal risk management and the main interest seems to be the corporate profile and exposure, rather than the thousands of people who have become exposed to the data loss. So it comes down to internal management processes as well.

How do you measure risk and the benefits you achieve by doing so?

MH: At BT, we start this process with our customers. We understand what they want from us in terms of standards and level of assurance, so we have to understand the assurance and accreditation regime that we need in our organisation. We have a system, a matrix or grid of likelihood and impact of risks, and the pre-tax profit impact to the bottom line.

We then say: What are the things that we deem to be risks that will prevent something happening? We go to the business and ask what the impact would be of one of these risks ­ – what are the consequences of one of these risks happening?

They are the usual type of things, which we know and we talk about every day ­ – network attack, physical attack, physical theft, natural disasters ­ – so we can measure consequences financially.

There is usually a broad range of things that do not have a high impact in financial terms but happen a lot, and things that are very exceptional and therefore much higher in value.

A judgement has to be made about what that impact is. Having done that, we can cost up solutions and look at the effect on those risks and understand what happens if we move those risks to a more managed position.

For example, if we start off with a risk that might be worth £20m once in every 10 years, we apply the control measure and bring that down to an acceptable point, which is once in many more years at much less cost. We compare that with the amount that it costs to deliver the service, and there you have your answer.

The important thing is to continue to revisit how that risk is manifesting itself to check that the control measures are appropriate.

What do you need to take into consideration when outsourcing to make sure that you are still managing risk?

JW: You can never push risk of IT security to outsourcing. You cannot say you have outsourced and simply outsource security as well. Security will always be embedded in your organisation.

Consider your outsourced environment as an extension of your own perimeter. Never assume what the outsourcer tells you in a contract or what is in a service level agreement. You have to make sure your outsourcer is making provision for your requirement. Impose your security policies and obtain agreement that they will be followed.

No matter how secure you make your network, you can never eliminate human error. What can you do to raise awareness among staff and create a security-aware culture?

RayS: It is about people, process and technology. You cannot patch for stupidity, and we should all remember that.

You will always have people who do not listen to what you tell them. You will also always have people who think they know better. The key is correcting a culture.

You need a top-down approach; it does not matter whether you are a senior executive or a user, it is about how you all believe in that culture.

You need a culture whereby you will not be told off if you get it wrong. Educate people in simple terms, whether it is posters on the walls or making time available to talk to them about what the company does to defend its networks and protect its data.

Explain that this is what we do, these are the controls that we put in place, this is our responsibility and you have a responsibility as an employee. It is incumbent on us all to recognise our responsibility and what we have to do. It is very simple in that context.

Can there be too much risk management? For example, billions of pounds were spent on the year 2000 bug with huge disruption but no real business benefit. How do we know where to stop?

CL: If you write the ultimate risk management policy, you end up being highly prescriptive and proscriptive, and people will find ways around it.

You have to make it as transparent and usable as possible. It comes down to repetition, to making sure that people realise the reason why you are doing this. People need to realise that their own actions can affect thousands of people.

You can overdo it, so make sure you get your priorities right, that employees are aware, and that the policy is kept up on a regular basis.

If you are in a department of 200 people and with a staff churn of 10 per cent per annum, there are two or three new people every month who have to be inducted on the policy. But people forget very rapidly, so you have to make sure they are continually refreshed.

What do you think of moves to clamp down on the use of mobile devices, such as BlackBerrys or USB drives, because of security fears?

CL: It is very easy to come up with a policy which says: “Thou shalt not”, but you often find out that people pay no attention to it.

You have to make sure that you can back up this sort of policy with technology. If you do not want people to use USB drives you will have to get rid of USB ports. If you do not want them to be able to write CDs and DVDs, take away any capability for rewriters to be in place.

That can be done at a general worker level without being a big issue. But when you start getting into the higher levels of the knowledge worker, you will have to start looking at exceptions.

This is where identity management comes in. You need to be able to say: “If that device is there, is it in a secure environment?”

You do not want an unauthorised employee using a USB stick on someone else’s PC, for example. If it is not in a secure environment you have to make sure it is in itself a secure device.

Do you have biometrics in place for this situation? Do you use proximity logins? Do you have multi-stage identity management? All these technologies need to be looked at.

Alternatively, you could tell staff that they have a certain amount of choice over the device they use but it has to meet corporate technology policies.

So if it does not have anti-virus facilities, does not support Java or does not support the way you monitor and control the device, it is not allowed on the network.

RayS: If you say “no” to employees they will find another way to do something. You must not create a “no” culture. You also must not create a policy which is unenforceable, because that creates apathy.

You must work with users, improve their awareness and understanding that if you do that, this is the effect. It is about making sure they are aware of what the impact is and them working with you and you working with them. It is really very simple.

Visit our managing risk online special report and join the debate: http://managingrisk.computing.co.uk