Final Words

Risk assessment is one of the most critical and overlooked tasks in security. That's sad, because it's nearly as obvious as it sounds. You need to know what you've got and what it's worth to really understand how to protect it.

In 2001, a Global Security Survey conducted by Information Week and Price Waterhouse Coopers found that 67 percent of respondents did not have a security policy that included data classification. That's actually up from 52 percent the previous year. Of course, not all "ignore" data classification on purpose. Almost 70 percent don't have a data-security policy addressing their security objectives at all. Are companies becoming cavalier about data security? Not at all. The exponential growth in the amount of data to be protected has simply overwhelmed them. Will they pay for the oversight in their future? Absolutely.

To really protect your network, you need to do a thorough risk assessment and then use that information to design your security strategies. And, you also need to do it more than once.

Whenever new systems are added, system platforms are changed, or any major organizational modifications are undertaken, you need to redo that risk assessment. "Security is not a one-time event it's a practice. A practice that consists of tools, training, metrics, and a methodology."