Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 10 Oct , 2014

There Is No Such Thing As Information Security Risk

Share this article

There is no such thing as Information Security risk. There are just business risks that have one or more security or IT related causes.

Measuring RiskHaving worked in IT and Information Security for 13 years, I’ve come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes.
There is a fundamental and persistent disconnect between risk conversations in technical and non-technical business communities and few are building the bridges needed to close that gap. Taking the world of IT change as an example (I reckon you’ll have no problem recognizing most of these actors on the project stage);
C-Level bod

“The late delivery of this IT project is impacting our ability to realize our digital marketing and sales strategy, main pillars of our growth plan for the next two years”

Operational business bod

“If we don’t get this solution in place, we are at risk of not meeting annual performance objectives”

Marketing bod

“Every second we delay getting this to market risks loss of planned competitive advantage”

Project Management bod

“The late delivery of this IT project is risking an overrun in the allocated budget and disappearance of my hoped for bonus”

Developer bod

“Squeezing time and resource to fully pin down requirements, understand system interactions and robustly test means we could have  significant functional issues with the implemented solution”

Security bod

“Not allowing time to assess security of planned changes, pentest web elements and fix problems found, risks serious vulnerabilities ending up in the live service which could lead to financial fraud, data disclosure or data theft”

cost-benefit1What really matters? The bottom line. Why is security so often deprioritized in this context? Because all of the other impacts are easier to understand and feel more immediate. Without a means to compare these risks side by side, security will continue to be the poor relation.
Something technical security folk don’t always seem to get;
If there’s a new threat, newly identified vulnerability or a procedural control is broken, it doesn’t matter…
…UNLESS it is likely to lead to an exploit that can impact the balance sheet and/or reputation of the business and…
…IF that impact makes it cost effective to delay implementation and get it fixed.
I’m not ignoring the fact that it’s still an industry-wide challenge to realistically assess security gaps and monetize potential impact. Especially estimating the likelihood of vulnerability exploitation and turning all risk inputs into useful cost benefit analyses. This article from John Pescatore prompted me to start a discussion on LinkedIn about risk calculation. It drew in comments from a broad range of contributors (including Jack Jones creator of the FAIR risk framework) and highlighted many of the challenges facing IT and security teams today.
Sorting out an organically grown risk function is not quick or easy, but until we get better at putting our security news into a business context and build credibility for the function, security will never be everyone’s responsibility. No matter what lip service is paid, IT risk will be seen as IT’s job to fix and security risk will be a job (to reflect the view of many senior managers) “for the people who understand security”. How painfully ironic.
6a00d834527c1469e200e54fa36ecc8833-800wiA good place to start? A rock solid security RACI. This Tech Target article (scroll down to read without registering) looks at using RACIs in the context of risk assessment and here I take a look at proper allocation of risk ownership in security assurance for change, but to nail this, I suggest going a step further. Use security incident management scenarios to thrash out who contributes what to the security picture and who has what to lose. It jointly focuses minds on the “so what”.
Who’s neck is on the block when the Information Commissioner or financial regulator comes calling? Who owns the services that will be operationally impacted by an outage? Who answers to the markets if a breach slices 30% off the share price? Along the way security awareness will be dramatically improved.
At the same time, to keep that respect and awareness bandwagon rolling, have a long hard look at the MI generated by your security team – does it headline with tangible current or potential fallout from security related issues? If it doesn’t, do you have the inputs and communication skills to ensure the next report does?
So, that’s why I argue that there’s no such thing as Information Security or (based on the same premise), IT risk. You might aggressively disagree, but it’s not a bad way to start your next risk conversation with the board.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...