He poses the question and depending on the answer he decides whether or not to action the proposal. A process he hopes businesses of all sizes are practising.
“More often than not you’re not going to have the best statistical data,” Coviello told SC during his recent visit to Australia.
“You’re not going to be able to mathematically put a probability for [information security risk]," referring to the lack of statistics and historical data available.
"But this doesn’t mean nothing should be done at all."
Using his role at RSA as an example Coviello said if the best response he receives is ‘low risk’, then he explores potential mitigation steps.
"Even though it’s not quantifiable and it’s qualitative, it's a step much [closer] to making a business judgement," he said.
Additionally, you can then start to gather statistical information one way or another.
Meanwhile, to the people that say it’s too hard, Coviello asked, what is your alternative?
"Is your alternative to wait until something bad happens or is your alternative to make qualitative assessment and then use your business judgement?
“Doing nothing or not evaluating risk and going head long into something with your eyes closed is certainly not a good thing,” he said.
Furthermore, [businesses] need to protect information far more dynamically and proactively according to Coviello who claimed information centric security is now conventional wisdom.
“If we’re going to stop doing [security] reactively and start doing it holistically then we need to start with a thorough understanding of organisational risk,” explained Coviello.
“[As well as] information infrastructure risk and the risk every time we have a new businesses or organisational initiative”
RSA president shares risk management secrets
By Negar Salek on May 5, 2008 12:24PM