Network Visibility: The Key to Risk Management
These three steps can help you establish a "reality-based" risk mitigation plan
by Dirk Paessler
Life is fraught with risk, from small events to catastrophic occurrences, and the IT world is no exception. Although a subset of network-based problems (including computer worms and viruses, intrusion attempts, and denial-of-service attacks on business Web sites) often garners most of the attention from IT security groups, they are only part of the risk picture.
IT traditionally has responded to these threats in piecemeal fashion, often by buying a "black box" solution, but these exposures need to be evaluated in the context of the total risk picture. Responses need to be planned according to the business value of each risk and the available resources for mitigation. Further, they must be planned with the realization that risk can never be eliminated and that part of risk mitigation is planning for the inevitable events that will occur no matter how well IT protects itself.
IT faces three major classes of exposures:
- 1. Technology risks: These are the traditional concerns of IT security such as viruses and hardware failures. The best mitigation strategies for these issues are usually technical tools backed by strong policies and specific tactics for dealing with problems. Today many of these problems are network-related, making strong network management a central tool for risk mitigation.
- 2. Legal and personnel risks: These are varied and can include hostile workplace suits, document preservation to meet legal discovery requirements, and sabotage or business espionage by employees. For the most part, mitigation hinges on good management practices. Managers should be trained in the skills of management, just as engineers are trained in the knowledge and skills of their jobs.
- 3. Natural and man-made disasters: These include fire, flood, earthquake, storm, and, in this post 9/11 world, terrorist action. Mitigation includes setting up data centers in low risk areas and disaster recovery.
Chances are there is something from each one of these categories that keeps most IT managers up at night. We can't eliminate risk, but we can prepare for it. We offer three steps IT managers should consider when establishing a "reality-based" mitigation plan.
Step 1: List and rank possible risks according to their business importance
Identify the groups of exposures under each class and rate each according to its likelihood and the cost of the damage it will cause to your enterprise. For example, viruses may cause a relatively small amount of damage, but their likelihood is 100 percent. Conversely, major disasters will cost a huge sum but may only have a one or two percent likelihood of occurring each year. Multiplying cost by likelihood provides a rough numerical rating of the overall importance of each group of exposures. All of these figures, of course, will be rough estimates, but they will be close enough.
These risks are not always obvious. For instance, one of the most important under-identified IT risks is the chronic slowdown of traffic to vital IT assets due to network overload. This is particularly true as organizations replace traditional analog telephone systems with internal VoIP and as data traffic consists of larger media files (such as MP3s, JPEGs, and digital video), all of which increase network demand.
If a delay of one minute in traffic supporting a key IT asset can cause a business loss, then what is the business value of chronic delays of fractions of a minute for every transaction sustained over much of the business day? These issues make strong network management (including prioritization and traffic policy automation) vital. Identifying the business value of IT assets gives network managers a huge head start in traffic prioritization because these figures can provide a good basis for developing the prioritization plan.
The overall risk tolerance of your organization must also be assessed. Risk tolerance varies widely. For example, financial institutions tend to be risk averse; highly entrepreneurial companies may be risk tolerant. Any exposure that falls inside your organization's risk tolerance can be given lower priority for mediation.
Step 2: Identify and budget for appropriate mitigation strategies
Identify the appropriate mitigation strategies for each risk area. Some, particularly the technical risks, will have obvious answers. Others may have more than one possible strategy. For instance, effective management and insurance are both viable strategies for mitigating legal risks. Each of these need to be roughly budgeted for, and in many cases the amount of mitigation will vary with cost. This is particularly true for insurance and for disaster recovery strategies.
At this point, some strategies will pop out, where the cost of mitigation is so low compared to the business cost of the exposure that immediate action should be taken. Strong network management is in this category. It provides the best mitigation against a list of network risks starting with switch failures. It's the backbone for an effective strategy to counter these events quickly, and it issues early warnings of other risks -- ranging from bots working from infected laptops to employees downloading large numbers of video files that can slow network services (and may contain inappropriate material).
Although most hardware (such as servers and disk drive systems) share the business value of the service they support, the network has a special place in the risk management plan because network failures impact multiple IT services. These shared resources take on the business value of the most valuable service they support, which again argues strongly for excellent network management and visibility.
Step 3: Identify resources
The final step is to identify the actual resources – both in terms of money and staff – available for mitigation. Only rarely can a risk mitigation plan be fully implemented in a single budget year; decisions about what to do now and what to put off to future years become the hardest part of risk management. In some cases the decision must be "either/or." In others, the decision may be to take partial action this year and plan further action in the future. For instance, network defenses may be strengthened year-to-year with the addition of new firewalls and other protections.
Often, particularly with smaller companies, some risks must simply be accepted. For instance, the company may not be able to survive the loss of its computer/voice network, but it also may lack the resources to create a duplicate facility. More than one small company has gone bankrupt after a major fire. The only answer may be to accept that some risks will mean closing the business and hope that they do not happen.
Conditions, including risks, change over time. Therefore, risk planning is at least an annual exercise that should be an early part of the budget process.
Ultimately there are no guarantees. Life is risky, and a certain amount of risk has to be accepted by any organization. Risk management is not about guaranteeing that nothing bad can happen, because clearly even the most secure environments have experienced problems. Rather, the aim of risk management is to reduce exposure to a manageable level that the business can afford (or at least survive).
If IT can manage that, it can consider its risk management program successful.
- - -
Dirk Paessler is CEO of Paessler AG in Germany. You can reach the author at firstname.lastname@example.org.