What does risk and risk management mean to you?

Risk, in my opinion, is the possibility of an event, either positive or negative, from occurring; this event is hasn’t happened before. If a risk has occurred, and it holds negative aspects, then it is merely a threat. Risk management would be the science of identifying all possible risks that may present themselves in a project, as well as the process of classifying, ranking, and planning for their appearance. Risk management, in cybersecurity or project management, is vital in ensuring the continued operations of an organization in the likely event of an unexpected occurrence, which can either damage or hinder the organization’s success.

Are there different definitions for risk?  If so, what are they?  Is one better than another?

In cybersecurity, risk assessment and risk management are vital cogs in the theoretical wheel of business success. In risk assessment, identifying all possible risks that an organization might face allows for a proper system to be created to facilitate an adequate protection system (risk management). Both risk assessment and management rely on the relative importance of the identified threats, which can be established in one of two ways: qualitatively or quantitatively. Often, choosing either a qualitative or quantitative approach to formulating a risk assessment is a common question for security personnel; however, in my opinion, employing a combination of both methods is the key to compiling an accurate and practical risk assessment. Due to the various definitions of risk, it can be challenging to create a plan for risk management; however, by first identifying the type and severity of the risks, one can better plan for the future.

How would organizations benefit from having a formal risk management program (especially for IT and security)?

Organizations in modern times encounter numerous risks as more of everyday operations are handled over the Internet; due to this, a formal risk management program should be required. In many cases, businesses do not understand how risk impacts them daily, leading to unplanned outages, cyberattacks, and data loss. With a finely tuned risk management program, an organization can plan for the worst, expect the best, and be prepared to handle any situation that unfolds.

Describe how an organization you’ve worked for or observed handles risk. Do they use a formal risk management process or tool? Or is it more ad-hoc, where risks are handled differently on a case-by-case basis?

As a current IT manager, my organization is in the early stages of developing a risk management program; this offers me a unique situation in which I can apply the lessons I learn from my studies. At the moment, we have no formal risk management framework and merely react to problems on the fly. We recently had a situation in which an external threat tried to penetrate our cybersecurity defenses; in this scenario, I finally had the proof of the necessity to plan for and mitigate risks that I required to convince management that we need to improve on our methods. In the coming weeks, I will be developing a solid risk management program.

Reference

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress