Third Defense is a Seattle-based company which provides cool web-based security compliance tools. I just did a trial run of their Risk Communicator, which allows you to document, categorize, and prioritize business risks in a convenient but detailed way.

The product trial is free and can be accessed via the homepage link above. Notably, there’s no sign-up delay in getting started with the trial: simply enter your contact info and a password and it drops you into the web application dashboard.

I was curious how useful a compliance tool would be to a company such as JW Secure, since while the software industry in general isn’t traditionally thought of as “regulated,” many of our customers certainly are. My first step was to select one of the existing sample assessments and to start adding and deleting risks from it as appropriate.

One of the best features of Risk Communicator is the built-in repository of risks, each with a detail description, that you can choose from to get started. Given the inherent complexity of security and the many types of risks that daily confront businesses of all sizes, there are guaranteed to many items in the canned list that will catch your attention. For example, change control, mobile device encryption, security strategy, single-factor authentication, etc.

Of course, any business is subject to a laundry list of low-level risks. The purpose of this tool isn’t so much to document every one of them. Rather, it’s to focus on those that are current hot items, and especially those that are motivating a budget or staffing request.

Once a list of risks has been made, Risk Communicator places them on a heat map. This is definitely another cool feature, since it does two things at a glance: first, tell you where you need to be spending more, and second, show you which risks may be weighted incorrectly.

Overall, there are two key points to be made about IT risk management. First, the problem is always broader than just IT: this is the whole business we’re talking about. However, few companies outside of the traditional “regulated” industries (banking, healthcare, government) bother to document or quantify their risks to any useful level of detail. And those that do use static tools such as a spreadsheet. And yet, tactically, using an interactive risk prioritization tool can be valuable to any company, because it keeps you focused on the right risks, make smart investments in IT and elsewhere, and spend your time wisely.

The second key point is that the goal isn’t to avoid risk. Indeed, risk avoidance is itself a dangerous risk , and can be among the worst mistakes a company can make. Instead, the goal is to understand risk, attempt to quantify it, and where possible, mitigate it. It is said that the best entrepreneurs aren’t so much risk takers as they are “risk understanders”. Third Defense has an interesting tool set for those who want to better understand risk.

No Comments »