Risk Management or Information Security?
I was intrigued by a statement coming from a panel of security professionals who claimed, “There is no such thing as information security risk.” Speaking at the Infosecurity Europe 2013 conference, a member on the panel explained that the only risk that matters is the risk to the bottom line. Well, that seems obvious enough. The bottom line is, after all, an organization’s ultimate concern. But when it comes to the actual practice of information security, things aren’t really that obvious at all.
In many organizations, information security professionals run the risk of becoming myopic, seeing the trees but missing the forest—the bigger picture of truly securing information assets. That’s one reason why so many focus on technology-based solutions, and end up ignoring the human factor, which, on one hand represents the organization’s greatest vulnerability, but on the other, is also the security organization’s greatest opportunity.
One of the panelists observed, “. . . the focus of the IT department is too often on how risk management is going to improve information security, rather than what information security going to do for risk management. The only reason we do information security is to manage the risk of the organization. We are all risk managers, whether you consider yourself to be or not. So the question to us is, do we actually understand what we’re trying to achieve when we talk about risk assessment?”
That’s actually a huge insight. When the focus is on the objective of information security—and not security for its own sake—it changes everything. When that happens, information security goes from being the concern of a department to becoming everyone’s business. That deceptively simple pivot is the golden key to unlocking truly effective information security performance.
Another of the panelists called out the protection of corporate reputation as a case in point. To that end, his company identified a dozen events that could potentially damage that reputation. Working each of those events backward almost invariably finds the behavior of individuals at the root. But that really shouldn’t come as a surprise: nearly all information security breaches involve the behavior of an individual employee somewhere along the line. The security habits of employees matter—tremendously. But motivating (Blog: What’s my Motivation) that behavior toward achieving a larger corporate goal can mean the difference between a successful information security awareness program and a failed one. Look no further than Target for an example of the impact a security breach can have on one’s business objectives.
As we pointed out in our ISSA article, Zero Information Loss—A Keystone Habit for Business Success, focusing on a single objective, like preserving corporate reputation, for example, can, in surprising ways, lead to a great many improvements across the entire organization, not the least of which is improved security awareness, as the panelist discovered.
In the end, information security deals with a great many unknowns. The best way to prepare for the unknown is to address what you do know. Start by making up a list of the things you want most to protect in your organization. Then imagine all the ways those things can be compromised. Don’t be surprised by the length of your lists—the cybercriminals targeting organizations like yours have the same lists. But the point of vulnerability they prefer to attack is also your point of greatest opportunity to defend: your people. Educate them now (3 Steps to Awareness Success) in the ways of security and privacy awareness and you’ll be that much further ahead in protecting what really matters—your bottom line. And that’s something you know you can act on now.