Book Review: Security Management—The Driving Force for Operational Resilience: The Firefighting Paradox
Security Management—The Driving Force for Operational Resilience: The Firefighting Paradox. By Jim Seaman and Michael Gioia. Publisher: Routledge; 288 pages; $63.99
Information risk management (IRM) is the process to identify, analyze, evaluate, and mitigate risks to information assets. Operational risk management (ORM) is an approach firms use to identify, assess, and mitigate the risks associated with their business operations. The overall goal is centered on resilience, which is the ability to recover from or adapt easily to misfortune or change. This, in turn, minimizes disruptions and financial losses while ensuring business continuity by identifying and addressing potential weaknesses in the people, processes, and technologies that the business utilizes.
In Security Risk Management—The Driving Force for Operational Resilience: The Firefighting Paradox, authors Jim Seaman and Michael Gioia have written a helpful book that helps you identify the risk “fires” so that they don’t keep endlessly reigniting.
IRM and ORM have always been a critical part of business, but it is even more crucial now. Businesses are being brought to a halt due to things such as distributed denial of service (DDoS) attacks and ransomware. The authors demonstrate how taking the time to create operational resilience capabilities and integrating them into the organization’s DNA makes recovery from disruptions much easier.
Seaman and Gioia spend much time helping the reader understand what their risk profiles are so that they can best understand how to use their staff and budget most effectively. Without that understanding, firms end up endlessly putting out these ORM fires.
The book helps readers understand their risks. A common mistake many organizations make is that they think they can have a zero-tolerance approach to risk. This is erroneous, as having systems operating implies that a firm must accept some level of risk.
For example, a firm with a policy stating that it has no risk tolerance for loss or inappropriate use of data is simply erroneous, as it is impossible. The notion of zero risk tolerance is fundamentally flawed because it is logically impossible to achieve.
When it comes to IRM, the definitive guide is Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones. Surprisingly, Seaman and Gioia don’t reference this important work.
IRM and ORM are topics that, if not formally addressed, can have devastating consequences for organizations. The authors are from the UK, and in the last few months, the Scattered Spider hacker group launched attacks on UK-based firms, including Marks & Spencer, Co-op, and Harrods, resulting in losses of almost $600 million.
For those seeking to mitigate risks that could harm their business, this guide is highly helpful in assisting them to do so.
Reviewer: Ben Rothke, CISSP, CISM, CISA is a New York City-based senior information security manager with Tapad, and he has more than 20 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography, and security policy development. Rothke wrote Computer Security: 20 Things Every Employee Should Know.
