By Tim McCreightFeatures Opinion Risk Perspective
We recently relocated to the West Coast for work, to enjoy the lifestyle living by the ocean brings, and focus on new challenges for my employer.
We heard lots of concerns from family, though, on the risks we’d face. The price of housing would put home ownership beyond our reach, and the cost of living would be so high that it’d be impractical to live at our current lifestyle.
Before we moved, we did our own “family-based” risk assessment. We reviewed the cost of groceries, gas, and car insurance. We looked at affordable options for housing, and how easy it would be to get around our newly chosen home on public transit.
In my career, I’ve had to do a similar exercise as I moved from one project to another, and from one organization to another. The risks I thought I would face during a project may or may not have materialized, but that didn’t mean I should automatically bring the perception of those risks to my next assignment.
In many ways, working on a variety of projects, initiatives, programs and careers offers security professionals the opportunity to broaden our risk horizons.
New projects and initiatives bring new types of risks, ones we may not have considered in previous engagements. One of the appeals of our industry is the chance to move vertically within our current organization as well as horizontally either within our company, or in completely different industry segments.
Risk management, and the principles of assessing risks to our organizations, must remain a constant in our profession. I find myself constantly revisiting the ISO 31000 principles and guidelines now that I’m consulting again, and find new interpretations of this valuable document on a regular basis. I’ve immersed myself (once again) in the books on my information security bookshelf, focusing on relevant controls and processes that I’ve used in past lives, but now need to adjust for a new group of clients.
Part of this internal review is becoming familiar with the context of risk facing organizations, and becoming more aware of how the organization operates, its business ethics, and the drivers motivating the organization. You cannot do this from an armchair, nor can you simply rely on news and the media to provide this context. You have to “move” into that environment, albeit for a short time, to truly understand the business your client (or organization) operates within.
This brings me back to the warnings we received from some of our family and friends about our pending move. We were told we’d hate the weather, it would rain all the time, and we’d never see sunshine.
Well, we’ve had a chance to “live in the context” of our new environment and have reduced our exposure to these perceived risks. We’ve assessed our standard of living, and we can state it is about the same as we are used to.
The weather has about the same amount of rain as where we came from, and we’re looking forward to a winter that won’t include -40° Celsius and centimetres of snow. And we’re still able to eat some lovely, locally farmed vegetables and fruits while enjoying some amazing regional wine as well.
Security professionals sometimes bring “risk baggage” with them to their next assignment or organization. We can’t always leave these preconceived notions behind, but we must make sure to temper our perceptions of risk at our new assignment based on sound risk management principles. We can’t go wrong if we go back to read the books on our information security bookshelf every now and then.
Tim McCreight is director, advisory services at Above Security (www.abovesecurity.com).
Print this page