
Michael Roylance, information security manager, Roads and Traffic Authority
“The current risk models that we are all familiar with are impact and probability. Impact is fairly easy to measure but probability [is a] real problem.
“Why is it that you can tell me exactly what the probably of me having a car accident, but no one has any idea of what the probability of a virus outbreak is?
“We’ve got the probabilities for earth quakes, fires and stuff that we have history on but we have nothing for the kind of things that we are talking about [risk management]. Why is that the case?
“Risk assessment as we know it is essentially qualitative. That works well inside IT, but once you get out and start talking to the business they want to numerate and measure and control things. There’s an old saying ‘if you can’t measure it, you can’t manage it’, which is quite true.
“Move your mind forward 10 or 15 years and think that you can buy insurance for a virus outbreak.”
John Greaves, manager, information security, management services, IT strategy and architecture, QBE Insurance Australia
“The insurance industry has put a lot of effort into actuarial study of car accidents. We have almost a hundred years of data. We [IT professionals] don’t as a profession have that same discipline and body of study for providing actuarial data on incidents. I think that is something that’s really needed. There is that trouble, ‘how do you assess something that’s never happened?’
“Two of the biggest problems we have got are probably around changing of risk and aligning of IT business or aligning risk into business. Risks regularly change, we see this increasingly rapidly all the time. At the same time that these risks are changing, business leaders now think they understand it.
“The average business leader now understands terms like anti-virus and firewalls. But now that they understand those things, we’ve got to tell them: ‘sorry ball game’s changed’. They are no longer the big risks they need to worry about.
“In terms of standards, what we really need to start thinking about is a language definition of risk, rather than the risks themselves. We need to look at standards that start to define how we communicate risk and controls rather than risk themselves.
“We [IT professionals] still have trouble describing risk to them [business leaders] because sure enough there is always somebody that can make the decision but we’ve got a problem of giving them the information they need.”
Mark Pigot, IT Manager, risk management, AMP
“It’s less important which risk assessment model you actually pick than it is to ensure you actually use the same model, the same semantic, the same frameworks – importantly the same language to articulate IT risk controls as are used inside the enterprise risk management framework.
“It’s so fundamental to actually consider IT security as an actual risk management discipline. It is not an actual technical function. Embed it inside the enterprise risk management function.
“We can’t really quantify the actual risk. Especially in terms of quantifying IT risk as opposed to HR risk. But in terms of our approximate style at least we’re able to supply an indication and then use those for an ultimate purpose in terms of how effectively we mitigate those risks inside the organisation.”
Jim Karvounaris, global head of information security, ANZ Banking Corporation
“If you quantify it [risk] and give it to an MD and say, ‘if you can live with this risk the reality is, if it did occur and it’s going to cost you $50 million, it will blow the revenue or blow the business profitability for the year. Are you aware to wear it?’
“If he says, ‘yes I am’ then good luck to him. If his says, ‘no I’m not, fix it, here’s the money’. You’ve got to make sure the right person is aware of the risk and the right person is making the business decision. “It can not be seen to be purely an IT related function.
“We’ve got to make it business speak, we’ve got to talk to them [business leaders] in relation to what it means to their business. You’ve got botnets and Trojans and phishing and spam. Some business managers are picking up the lingo but a lot of them at the high level don’t understand it.
“One of the other challenges we have as an industry - we’re not sharing this information because we all don’t want to let each other know of a virus or how good or bad we are.
‘We are collecting the data about when it [breaches] happen. The big challenge is we, haven’t got the history to sort of say, ‘how often has it occurred in the past and how often is it likely to occur in the future?