Risk calculation is essential but to be successful it must be an ongoing process, not a periodic snapshot.
Risk calculation and mitigation is pretty much the first thing that enterprises need to do when they want to get an accurate idea of how much and where they should invest their security money.
"Business decision-makers always look to hard numbers whenever a budget is requested.
If risk management is to be successful it must be an ongoing process, not just a periodic snapshot.
They would like to see clear dollar values associated with the risk claimed to be out there, along with a clear RoI model linked directly to the business. Additionally, it is very difficult, nearly impossible, to be sure whether the investment put in place is really making sense to the business, or not, without realising the potential losses.
Therefore, calculating the risk becomes a necessity as part of the risk management process," says Ahmed Etman, security business development manager at Cisco Middle East.
Guru Prasad, general manager for networking at FVC agrees: "Risk assessment is absolutely essential. IT managers have to do that to be able to justify to their senior management security spend.
Basically that is the way to tell the CEO that if you don't invest in technology, these are the risks that the business faces. They have to do that assessment before the top management can say ‘yes go ahead and spend that money.'
That is one of the things we have also seen that IT managers struiggle with - how to justify spending on IT and the answer is simple - just do risk assessment. It is like selling insurance; unless you are really told what could happen or something really happens to you, you never think about buying insurance.
The same concept applies when buying security products and solutions.
Apart from helping IT managers and higher management plan the security budget more accurately, risk assessment is essential for enterprises to understand the threats that are likely to visit them and acts as a reliable guide to fashion policies to prevent or subdue attack vectors.
In spite of the obvious necessity of risk assessment, many Middle East enterprises remain either ignorant of the concept or shy away from the prospect of using it to advantage.
"We cannot deny that the majority of enterprises in the region are still in their infancy when it comes to such disciplines in information security management practices; however, the progress is certainly obviously moving in the right direction.
Over the last few years, several organisations, mainly in the government sector, have been heavily focused on creating security and risk management frameworks," says Etman.
In the Middle East, probably less than 25% of enterprises do risk assessment.
A lot of them are working on standards such as ISO 27001 but I don't think they are necessarily connecting security to business functions. Of this 25%, I would say less than 10% understand the concept and think and manage the organisation from a risk perspective," states Jeff Ogden, director of consulting at MENA for Symantec's global services.
It is essential that Middle East enterprises not only understand the importance of conducting risk assessment but also put in place the right processes for getting the most out of the procedure.
According to Symantec's recent white paper, many people confuse threats and vulnerabilities with risk.
To be at risk, an organisation needs to be subject to a threat that is able to exploit a vulnerability and then go on to cause an impact on some system or process that it is operating. All three elements: threat, vulnerability and impact need to be present for you to be at risk.
"Organisations have to understand what vulnerabilities arise in business. They have to understand business risk through processes that operate in the business. Risk assessment is about the business, not just IT in particular. That would be the next level, after looking for weaknesses in the business," states Ogden.
Etman states: "There are several methodologies that have been introduced for conducting risk assessment, varying between FRAP (Facilitated Risk Assessment Process) which is a high level, general risk assessment methodology up to CRAMM (the British Central Communication and Telecommunication Agency's risk assessment and management method), which is a very detailed process covering several aspects of IT governance.
The real gap we find in the region is that enterprise level understanding of the relationship between business processes and risk is very low.
"There are several parameters in calculating risk. Most of them are very difficult to accurately quantify. Therefore, approaches have to include a qualitative element as well in order to make assessments more accurate," he adds.
"First you need to know what you are protecting, what kind of assets they are, the classifications of these and their impact on the business. Based on that you need to know what kind of threats and attacks you might be most susceptible to, as an organisation. You have to understand business impact in either qualitative or quantitative requisites.
Qualitative in terms of the reputation of the company, quantitative in terms of the dollar sign - how much would that impact on the business," explains Bashar Bashaireh, Middle East regional manager at Fortinet.
Enterprise security threats themselves can be classifed into two major forms - external and internal - and it is essential for organisations to understand the ratio of risk they stand from each of these.
"You can use several measures to calculate which threats an organisation is more likely to face. The first is based on history, what incidents they have suffered from and the impact they had. The second involves peer benchmarking. The third way would be to analyse general trends and incidents in the big bad world," points out Ogden.
Most vendors agree that often organisations will be better off calling in an external third party organisation to do a lot of the processes involved in assessing risk efficiently.
This would especially cover those concerned with active measurement of variables within the enterprise, including personnel and policy. This can be bolstered by penetrating testing to get a precise view of a firm's risk vectors.
Following the results that arise from risk calculation, an enterprise can plan its security inputs across the network and its different end-points as well as design a policy to support solutions.
"One of the main ideas behind the risk assessment process is to reach a decision of how to handle the risk.
There are four options in dealing with the risk. The first is accepting the risk and this decision is usually taken when the losses due to specific risk are acceptable to the business.
Managing the risk which is done when the cost of managing the risk and reducing it to an acceptable level, is lower than the damage the risk would result into in case it is not managed.
Ignoring the risk, which is the most dangerous thing to do as it does nothing to reduce the risk's impact. Transferring or sharing the risk which is normally done by insurance or similar solutions," explains Etman.
"The key here is in working smarter. It is no longer possible to take a blanket approach to security. With good risk management, the analysis will help IT professionals to determine the correct response to threats, based on how it will impact the risk score and the time and effort involved in achieving it," says Patrick Hayati, regional director at McAfee in the Middle East.
Furthering the process
Risk assessment is not a stand-alone, one-time process. It is always a continuous one and, according to most vendors, this is where even the most hardened enterprises in the Middle East, which implement risk calculation and mitigation processes, fail.
"The final part of any risk assessment is continuous monitoring. Many people do the first few processes but do not do this last part. However, all of them are very essential steps to maintain creative risk assessment policies," says Prasad.
He adds that organisations who want to remain alert to changing risks have to invest in three to four penetration testing and vulnerability assessment exercises, conducted by external firms or by internal staff, every year.
Hayati adds: "If risk management is to be successful it must be ongoing, not just a periodic snapshot. Risk management gives the business a view of the value IT security brings.
No one calls the network support team to tell them they are doing a good job, however they are always quick to complain. Security faces the same challenge and risk management can be used to show the difference that has been made. Equally, it can be used to educate the business on risk changes (due to new threats or changing environment) and understand the requirement for ongoing security investment.
"Risk management is an ongoing process. I would say a journey and not a destination. Having a plan in place to review, reassess, and iterate controls is necessary," says Etman.
However, all of this might be a subset of the real reason why enterprises in the region are yet to catch up with risk calculation and using the results for their mitigation strategies - the continuing inability of many of these firms to connect business processes to security risk.
"The real gap we find in the region is that the enterprise level understanding of the relationship between business processes and risk is very low. IT risk is not often considered in the light of the business and we fall back to the 10% number which actually does that," says Ogden.
"It is not in the culture today to start with business risk and relate it to IT. It is often worked from the other end. IT risks are considered in terms of security but there is no bridging to business functions. That is the biggest gap," adds Symantec's Ogden.
A gap, which once bridged, might lead to the rest of the processes of risk calculation falling into place.For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.