IT Security Vs. Info Risk Management

NIST Expert Explains the Difference Between the Two
Information risk management, at its core, is about tradeoffs, says NIST Senior Scientist Ron Ross."When you assess risk, as part of the risk management process, you're going to find things that are not quite right," Ross says in an interview with (click an audio option above to listen). "The risk management process is always about tradeoffs, tradeoffs to mission, and the ability of the organization to provide, what we call, adequate protections, to make sure those missions are not going to go south at an inopportune time."

For its inauguration, turned to Ross, the principal author of the National Institute of Standards and Technology information risk management guidance, to explain the difference between information risk management and information security. "They're very, very different, and I think a lot of people get those two things mixed up," he says.

"Information security is the classic definition: confidentiality, integrity and availability, testing information and the systems that process or transmit information from unauthorized disclosure, unauthorized modification and denial of service," Ross says. "We have a whole body of knowledge and controls that we try to apply to reach what we call the "'level of adequate security.'"

Information risk management is a different proposition altogether. "Risk management tries to look at the threats, our current vulnerabilities, the potential impact to our missions, if we have a cyber breach, and the likelihood that that's going to happen. That's the risk assessment piece, which is part of a larger risk management, where we assess the risks and then respond to those risks in a certain way, and we monitor risks."

Organizations don't have unlimited resources to totally safeguard information and the enterprise. "When you assess risk, as part of the risk management process, you're going to find things that are not quite right; you'll have risks that you have to deal with," Ross says. "And, how you respond to those risks, by either accepting or rejecting or mitigating, applying more controls, transferring or sharing, those are all legitimate risk response measures."

In the interview, Ross discusses:

  • Responsibilities of IT and non-IT leaders in information risk management.
  • Impact of breaches on information risk management.

Ross is chief author of Special Publication 800-53, NIST's security controls guidance, and leads the institute's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.