For one thing, there are all those horror stories ripped from recent headlines and amplified as they travel across the Web. Then there are the increasingly onerous laws and regulations, and of course, the never-ending vendor hype. As a result, it can be difficult to achieve a levelheaded assessment of one's situation and to get clarity regarding the best policies and investments to adopt.
But fundamentally, companies may still be missing the boat. Bentley College Professor of Mathematical Sciences Charlie Hadlock has worked the risk equation from many perspectives. Previously employed at the consulting firm of Arthur D. Little, he did risk analysis and consulting for companies around the world. More recently, as dean of the undergraduate college at Bentley, he has been involved with risk planning and even Y2K preparation. "There is a lot of hype from companies selling services in this area. I have looked at some of it and it doesn't seem to be very scientific or very compelling; it is about selling a product or a service," he says.
Dr. Paulo Goez, Gladstein Professor of Information Technology and Innovation at the Operations and Information Management Department of University of Connecticut, also says that organizations often misunderstand the risks they face. In particular, he says those who study risk see the same phenomenon repeated in endless variation: No matter the industry, technology or situation, when the probability of an event is small, individuals tend to discount the risk, even if the potential consequences are dire. "It is a psychological phenomenon, but that in itself represents a real risk for companies," he says. Most individuals underprepare because they believe "it" won't happen to them. However, he says, organizations must be more rational.
Goez says there's plenty of applicable literature available about risk managements with probability, payoff functions and cost functions. In addition, within the finance area, there are many well-developed models for risk assessment.
"I think one of the key issues is the amount of organization-specific internal knowledge available that should really be used to govern how a company or organization is positioned regarding the risk of data loss," says Hadlock.
Hadlock says it's important to tap that internal knowledge effectively, and in most cases that means bringing in an outsider. "In every organization, there are cultural biases that tend to limit the objectivity of an assessment, so you need to be sure the process achieves a certain amount of independence." He says some kind of outsider perspective can ensure that cultural biases don't hobble an assessment.
On the other hand, he suggests that simply outsourcing the problem may not work, because consultants have biases of their own and may miss nuances at an individual business. "What I have seen work the best is when companies bring in someone with a broad understanding of risk and the sometimes peculiar ways in which it can appear. They can serve as a facilitator to help companies help themselves."
Finally, says Hadlock, look for help implementing against a mathematically based method, "that can force you to look under every rock for potential problems."
Roberta J. Witty, Gartner Inc.'s research vice president of security and risk management, agrees. "There are holes" in the process of risk management. "People do these things, but they really need to be carefully tailored to the specific business," she says.
Thus, she adds, each company must develop its own requirements and models. "In general, this is still a very nascent process -- large financial institutions and large multinationals are doing this, but the average smaller organization is depending on consultants, who often have their own proprietary models," she says.
Whatever you do, Witty advises looking at the impact to the business from a number of angles, including revenue, profitability, customers and partners, contractual and third-party agreements, brand reputation, and employee, government, and community confidence. Moreover, says Witty, you should examine risks multiple times a year, especially when new risks appear that you weren't previously tacking.
Above all, she notes, ensure that the safety and integrity of data isn't just an IT problem. It needs to be a process that engages the whole business, ideally, an "enterprise risk management group, because this level of security is both an IT and a business risk issue," she adds.
About the author: Alan R. Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.