The Information Risk Management bedtime story

Once upon a time, a young boy asked his father for a bedtime story and wanted his favourite tale. Now the boy was a curious child, and it wasn’t ‘Who’s Afraid of the Big Bad Wolf’ he was after, it was ‘How to implement effective risk management in a business environment’.

As well as being a good dad, the man was a consummate information security professional, so he happily launched into one of his own favourite stories. The boy was regaled with tales of wicked Threat Sources influencing poor Threat Actors to result in an impact that could only be countered by heroic knights wielding strong security controls. Within 30 seconds the child was fast asleep, smiling at how good this story was at making him nod off.

Zzzzzzzzzzz – are you still awake?

Regrettably, the soporific effects of the IRM story are all too well known. As soon as we security people start to explain the obvious benefits of information risk management the eyes of our audience glaze over and the snoring starts. That’s tough! We know it makes sense and our argument is strong, yet getting it across to people and making it relevant is difficult. So, if you’re not sitting too comfortably, let me try again.

Can you tell the big bad wolf from the wicked queen?

Managing a modern business, private or public sector organisation requires the Board to know what the critical services to customers are and what mechanisms are needed to manage the risks (financial, regulatory, market, competitors etc) to deliver those services. Business risk management processes, supported by tools, are used to monitor risks and to support informed decisions on how best to take advantage of opportunities and avoid pitfalls.

Protecting your kingdom

Risks to information should be an intrinsic part of the business risk management process but are often left out of it. After all information risk is an IT ‘thing’ isn’t it, and something for the CFO and the security manager to deal with? In fact, information risks are not a specific IT matter since information exists in many forms, from company IPR data to staff personal details, to sensitive client information that you may have been trusted with. Information is crucial to delivering business services and knowing what information is essential to what business process is the first step to understanding the problem.

Can you answer the following questions satisfactorily?

  1. Do you know what your organisation’s key information assets are for each critical business service and do you know what impact it would have if these assets were compromised in some way?
  2. Have you identified the key threats to the information in these critical services?
  3. Are you confident that your organisation’s most important information is being properly managed and is protected appropriately?

Knowing where to station your knights in shining armour

Information Risk Management (IRM) is the process of identifying, understanding and managing the risks to the information necessary to support the delivery of business services. The aim is to support managers in making informed decisions about risk, not stifling innovation with inappropriate and expensive security controls (no matter how heroic the knights wielding them are).

Working for the happy ever after

Tackling information risk needs strategic thinking and a broad view. IRM helps to identify the most important information assets and risks as a consequence of doing business. Measures to manage risks have to be proportionate and balanced to support business delivery. Effective IRM will:

  • Identify what the real risk are to your information;
  • Inform decision making about taking advantage of business opportunities;
  • Give customers and partners confidence that their information is protected;
  • Support critical business functions with a balanced level of protection;

A balanced IRM approach will help you to identify and manage the true risks to the information you hold AND deliver wider business benefits managing the risks to your own information. Looking at both will deliver cost efficiencies and strengthen your business – and you’ll be poised for a happy ever after.

Having nightmares?

So if you are having nightmares from the horror stories of unmanaged information risk here’s what you can do:

NB: The department of Business Information and Skills has launched the Cyber voucher Scheme, open to SMEs and sole traders. Organisation’s can claim up to £5,000 towards IRM measures, but hurry as the scheme closes on 24th July 2013. ( ).

So that’s the information risk management story. Still awake? How did I do? I’d love to know.

Article by Steve Maddison, Director and Principal Consultant at Ascentor.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch