As directors become more and more aware of the implications of major changes to corporate governance on their responsibilities for information security, more money might well become available. Those responsible for spending it will need to do so wisely and effectively, and will also be held accountable, in their turn, for success or failure. Risk assessment is a key tool in determining how much money is needed and where it might most usefully be spent.
"You can't consider information security in isolation," asserts Leslie Macartney, chief security officer for Reuters. "It happens too often that security strategies are full of technical this and technical that, but with nothing about the business impact." She goes on to stress that it is important to "align information security strategy with the business challenges."
Developing a comprehensive list of threats and vulnerabilities involves using a variety of sources to "find corporate challenges and assess whether security helps or if it hinders." Nor is budget always guaranteed, even for a relatively major security risk, because "there might be other business priorities that need to be addressed first." It is important, she says, to understand the business drivers before making any recommendations. Security analysts should be prepared to "listen rather than talk."
External risks must also be considered, believes David Spinks, director of operational risk at EDS. "It is not good enough just to measure internal risk. Understanding risk as it is attacking other businesses and providing measurement is crucial," he comments.
This might involve working with other businesses and with law enforcement agencies to develop "risk intelligence" that can be included in the ongoing operational risk management process. But Macartney warns: "Getting good intelligence is difficult and can take an incredible amount of time."
For a company with "a wide reach," she believes that Reuters "doesn't do too badly." She also notes that risks are seldom contained within the organization and the assessment must also view the effects on customers, suppliers and other stakeholders.
Prioritize your risks
To prioritize risks, Spinks uses a matrix with 'likelihood of occurrence 'on one axis and 'severity/consequence' on the other - concentrating on high likelihood and high severity areas first. He warns that "your highest value asset may not be your greatest risk. The motive behind some threats is not linear. They might not be aiming to hurt you financially. Remember, to hurt your reputation, they don't necessarily need to damage your most valuable asset."
Accurately predicting the probabilities of a risk event might be limited by our own ability to assess information. Dr. John Maule of Leeds University in the U.K., an expert on decision making, cautions: "Even when we are 'certain' of something, we'll only be right 85 percent of the time." Macartney develops this theme using Maule's own theory that we are often seduced by the most obvious threats. "Viruses and hacking will have a much bigger impact on people than background issues like software bugs and employees," she explains. "We tend to concentrate on the most violent acts and not on the most costly."
Spinks points out that responsibility for risk is typically split across business areas and those lines of business often don't talk to each other but, crucially, do measure risk differently. "If we are going to meet future challenges in these complex businesses," he says, "business has to radically reorganize the way in which it manages risk. We can't sustain 30 ways of measuring risk." He recommends the creation of a chief risk officer post, operating at or near board level to "bring together all risk departments and to radically alter the culture."
Macartney supports this approach, noting that this is "very much the way that larger organizations are going."
Piet Poos, of Netherlands financial services company SNS Reaal Group, concludes that traditional risk analysis is often limited by a lack of knowledge: "We do not know what we do not know," he says, adding that it is also "difficult to determine the effect of several events happening together."
Poos has developed two simple scorecards, covering "organization" and "process," which are completed by each division on a regular basis to provide the information that managers need to ensure that the right risks are being managed successfully and to compare performance between divisions.
However, it might not be important, or possible, to identify every possible risk in advance. Rolf von Rössing, of Ernst and Young Austria, suggests that "the nature of the event is less important than the damage it causes," and outlines an approach that quantifies business impacts using financial boundaries. He models the way the impact of events develops over time, and its potential to threaten the ongoing business, in order to enable decisions to be made on managing those events.
Get the board involved
Spinks believes that deciding on action to manage risk is an executive decision. Executives can be alerted to the risks the business is facing by the use of dashboards. Each area within their area of responsibility can be scored to identify critical items. The executives can view their critical items and delegate actions, ensuring that they are followed up until completed. In this way, risk assessment becomes a part of a continuous management process.
Macartney agrees that it is about "managing your risks not getting rid of all of them." It is vital to make someone accountable and, to do this, they must have both the necessary knowledge and the resources. The risk assessment should not just identify the risk, but also "help people to identify solutions."
During the risk-assessment process, one positive outcome might be to identify cost savings or efficiency improvements. Spinks gives the example of a business process that operated through two data centers, one live and one standby. "The way they were designed was such that if one went down, the other was likely to go down, too. That firm saved something like $5.3m a year by running with one center and investing some of the money they saved in higher levels of security."
The growth of denial-of-service attacks with, according to the National HiTech Crime Unit, elements of extortion attached make it all the more important to consider non-intrusive attacks. DOS attacks "are some of the roughest in the world to deal with," comments Macartney. "There have been great improvements in hardening and preparing systems for such attacks, but you will always be in a defensive position and chasing new things."
There is consensus on some key issues. Risk will never go away, nor will risk assessment ever anticipate everything. The process must be continuous and capable of reacting quickly to unforeseen events. Macartney counsels that you should "take the time to understand business functions and what is important to them, rather than getting fixated on technology."
Existing resources like auditors can help in the process, because they are often expert in risk assessment. Automated tools are useful, but only if you use the right tool for the right job and don't try to make the results perfect.
As Macartney puts it: "The process of risk assessment is as important as the end product." Information provided to senior management must be meaningful and relevant to the business - they should not need to become security experts to take effective action.