"You still need to understand the nature of your exposure. You need to understand the value of your assets and risks to them to prioritize mitigation appropriately," says Scott Crawford, managing research director for Enterprise Management Associates.
And yet, because of resource issues and a perception by some that risk management is a discipline meant to be practiced by only the largest organizations, many SMBs fail to ever formalize the process of measuring risk to refine how they protect their IT assets and data.
[ Looking to start a risk management program on the cheap? See 10 Free Governance Risk And Compliance Tools. ]
But risk management principles can be a real boon to SMBs who can properly put them into play. One of the biggest benefits of quantifying threats through risk management is the loosening of security purse strings to address the threats that really do impact the business, says Brady Justice, director of systems engineering for TraceSecurity. With no risk assessments or any risk quantifications in place, IT tends to have a difficult time translating security threats into language that budgetary decision-makers understand.
"People with the risk management philosophy tend to have an easier time getting the budget they need because of the way that they're presenting the data," Justice says. "Risk translates to everybody. You don't have to be a technical individual to understand risk."
But actually figuring out how to measure risk may be a daunting prospect for SMB IT professionals. As it stands -- regardless of organizational size -- risk management is still an inexact science, Crawford says.
"Risk management in terms of capital 'R,' capital 'M' -- that's still something of an evolving science within IT security," Crawford says. "As an industry, we're becoming more literate about ways to measure and quantify risk. But that doesn't mean that it is either uniform or particularly straightforward in a lot of cases."
Within enterprises, risk management specialists tend to hedge their bets against the inexact nature of the discipline by using a whole slew of metrics, quantification models, and formulas to objectively measure risk. But SMBs will rarely have the luxury of resources that allows for that level of analysis of their IT infrastructure. What often happens is that smaller organizations that try to directly translate enterprise measurement strategies get so bogged down in the details that their risk management programs never gets off the ground, says Dariel LeBoeuf, vice president of sales and marketing for TraceSecurity. He suggests avoiding getting caught in the muck by taking a KISS approach.
"Don't try and overcomplicate it," he says. "Pick a good, fundamental way to do it, and don't try and implement an enterprise-level program that has 22 different scoring methodologies because you'll be caught in a rat hole of chasing the right way to do it."
Fundamentally, the program's foundation should be built on solid risk assessments, he says.
"Starting with a true risk assessment approach is a key starting point," he says. "You want to come up with an objective way to compare one set of risks -- that is, an asset and threat combination -- to another set so you can focus your efforts on the highest-level risks. That's the guiding principal."
Additionally, as smaller businesses embark on the journey of developing a risk management program, they need to remember they don't have to do it all themselves, says Richard Reinders, information security analyst at Lake Trust Credit Union.
"One of the difficulties of being a smaller organization is that you're not going to be the expert on everything," he says. "Your team is just not going to be large enough, so you'll end up relying on outside advice. You need to find partners that you can trust -- not just to be after your money, but to actually care about your information security."
This is critical for organizations like his, a Lansing, Mich.-based credit union that services more than 1,500 members and is responsible for managing $1.5 billion in assets. On the IT risk-management front, just two in-house staffers are in charge of protecting the technology environment. Reinders works full-time through the organization's enterprise risk management department in concert with another full-time employee in the information systems -- Reinders and his department work on policy, while his counterpart in IS translates those policies into procedures.
Reinders says seeking partners who can bridge knowledge gaps is critical to ensuring that the combination of in-house and external skills prove up to the task of measuring and mitigating risk. Technology can also play a role in smoothing out resource gaps. Reinders says he looks for technologies that can automate risk assessment to pinpoint weaknesses in controls even as infrastructure changes -- including a new one from TraceSecurity, TraceCSO, a cloud-based governance, risk, and compliance tool for assessing and managing risk.
"We're looking at taking a variety of inputs and trying to prioritize to apply our resources as effectively as possible and give us the biggest bang for our buck," he says.
According to Crawford, automation like this should increasingly play a role in SMB risk management, where they often may not even have a formally delegated security organization the way that Lake Trust Credit Union does.
"You may have people wearing multiple hats who need technology that can provide some sort of capability and intelligence in defining practices that would be recommended for basic risk mitigation," Crawford says.
Unfortunately, right now the market is primed mostly for enterprise-class risk management automation that adds a lot of flexibility and scalability, along with unreachable price tags, or for compliance-driven SMB solutions that de-emphasize risk management. Trace's foray into down-market automation could be a sign that things are about to change, though.
"Most small organizations are just nearly overwhelmed at the complexity, so expect technologies like this to bring some order to the chaos of risk management in such a way that you can demonstrate due care," he says. "They need something on the order of enterprise-class capabilities, but not necessarily with the same level of scalability."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.