In this rebuttal to the post by Richard Stiennon called “Why risk management fails in IT”, Steve Schlaman argues that IT risk management is the victim of the media and the perception by the business that “IT security is losing the war against the bad guys.” Schlaman states this is too broad of a statement: IT security has become more intelligent, repeatable, and with better results than in the past. One area that Schlaman points out as an improvement is the ability of asset identification, a point that Stiennon said was impossible. Schlaman, however, disagrees:
One of the first tasks in risk management when it comes to IT security is to know what you need to protect. This is a significant challenge and, with the proliferation of devices, it seems an insurmountable task. However, technologies are addressing the “find the needle in the stack of needles” problem and identify where important data is flowing out of or into the organization and where it ends up. For example, data loss prevention technologies continue to expand their scope, accuracy and capabilities. Some perspective is useful when looking at progress against this problem. Will an organization have an absolute list of every desktop, laptop, mobile device, router, switch, database and widget in the entire IT universe? No. But can an organization find where personal information, credit cards, key research and development plans and other jewels of the company live? Absolutely. Today.
Schlaman explains that, at the core of IT security, there needs to be fundamental risk management approaches that are agile and contextual. While IT security is by no means as good as it needs to be in most cases, creating a best practices approach that can be repeated consistently will be the element that pulls it out from the perception of consistent failure.