INTRODUCTION – Managing Information Risk: A Director's Guide


Information is critical to every large enterprise, yet its mission-critical importance is all too often overlooked – until something goes wrong.

Information risk management is a method of assessing information threats, which can be anything from a burst pipe flooding your server room to someone leaving a laptop on the train, and taking actions to minimise the chances of risks becoming reality.

The reasons for managing information risk are many. Properly implemented security controls sparked by a risk assessment could save huge financial or reputational fallout.

A 2008 cybercrime report by McAfee suggests that globally businesses lose $1 trillion a year in lost intellectual property and expenditures for repairing the damage. And cybercrime is just one small link in the information risk chain.

Poor organisational practices also risk information leakage, often by organisations failing to apply or adhere to strict practices on how information is treated.

According to the Privacy Rights Clearinghouse, the number of records containing sensitive personal information that were involved in security breaches in the US in the three years prior to December 2008 was 250 million. And in 2008 in the UK alone, there were 29 million instances where people’s personal information was disclosed.

While it’s important to guard information closely, making information available to the right people is an equally important role in the risk management process because inaccessible or (worse) inaccurate data is useless to the organisation.

While you can protect your organisation’s systems internally, many threats are beyond your control. What happens when there is a natural or terrorist incident that affects power supplies or when snow on the line means your IT support team can’t reboot the e-mail servers after a glitch? Continuity planning can mitigate against such problems, but before an organisation spends potentially millions on a disaster recovery programme its director must be sure that the risk, and the likelihood of a vulnerability being realised, are worth the expense. Does the clear-up operation cost more or less than the impact of the information risk that comes to fruition?

Of course, risk management can only go so far – at certain points the cost of securing marginal value systems or data outweigh the benefits of preventing risks, but even then risk management can reduce the costs of putting things right after the incident.

Recent Ponemon Institute research found that remedial action after data breaches cost $189 per capita in companies that had employed information risk management practices, while the 56% of companies that had no risk management had to spend $224 on each lost file.

Successful information risk management should enable an organisation to accomplish its mission by better securing systems, by enabling management to make well-informed risk management decisions to justify the IT budget expenditure and by assisting management in authorising the IT systems.