Thursday, March 6, 2014

Awesome Comparison of Risk Methodologies

Absolutely love this research from Gartner. Fantastic job guys.
You Care Because: There are several viable risk management frameworks our customers can use for assessing and building security into Vblock Systems. The program is far less important than the execution. There are several similar sports, business, and personal analogies.  

Gartner For Technical Professionals - Comparing Methodologies for IT Risk Assessment and Analysis       

Authors: Ben Tomhave, Erik T. Heidt & Anne Elizabeth Robins

To access this research, visit

In-Scope Methods:

  • FAIR
  • ISO/IEC 31000:2009 and 27005:2011
  • NIST Special Publication 800-30
  • OCTAVE Allegro
  • RiskSafe 

Summary of Findings (page 3)

Bottom Line: Which method you choose for IT risk assessment and risk analysis is far less important than ensuring that the selected methodology is operationalized and a good fit for the corporate culture. It is more important to start somewhere, getting a process in place that integrates with existing or emerging risk management processes, and then scaling and evolving practices over time. The selected approach must be able to produce output that is meaningful to management, and supporting processes must account for assumptions, documentation and potential gaming of the system. Tools should be leveraged, where possible, to ease method adoption.