As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks. You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly.
Here are my high level definitions:
- IT Risks - The probability that a vulnerability of an information technology solution or asset will be exploited and the likely damage from the exploitation.
- Information Risks - The probability that information/data can be exploited and the likely damage from the exploitation.
While these may seem similar to the layman, they should clearly be viewed and positioned differently by the Information Security professional. Here's why:
- IT Risks should have a focus on technology, while
- Information Risks should not have a focus on technology
By clearly positioning the two as different, it is easier to delineate responsibilities when partnering with the business on managing risks. Knowing who owns what always increases your chances of being successful. IT risks given their technology orientation, will rightfully so land more on the plate of IT professionals plate to manage vs. the business. Information Risks should accordingly land more so on the business side. When I say "land" from a responsibility standpoint, I mean from a custodianship standpoint, not who is ultimately (final review /approval) accountable. The business is always ultimately accountable for managing risks.
By leveraging these two definitions, not only are you able to better delineate responsibility, it ensures that vulnerabilities in non-technology related areas are more effectively addressed through the lens of "Information Risk". For example, if one solely focuses on IT Risks related to privacy breach you can too often over look the many vulnerabilities related to privacy risk on things like supervisors approving inappropriate access to personal information or poor physical security to offices containing personal information.
You may encounter different terminology for the above two risks. Don't get hung up in terminology. You can call these two things anything you want. Some call IT Risks -(Technology Risks), some call Information Risks - (Data Risks), some even call Information Risks - (IT Risks). Just know that one of these deals with the risk associated with technology being exploited, which of course can have an impact on information, but also on a lot of other things. The other is focused solely on the information and data, and should not be solely tied to technology factors.
This is a guest post by Mark Brooks, a consultant and leader in the field of global information risk, security, and compliance.
Related PostsRole of Information Security Manager
Template - Corporate Information Security Policy
Risk Assessment with Microsoft Threat Assessment & Modeling
Example Risk Assessment of Exchange 2007 with MS TAM