The new four-letter word

Let’s add a new word to our security vocabulary: risk. The traditional perspective of the security industry was one of reaction. We developed response plans to incidents, disasters and events. We developed data breach notification procedures, and responded to threats coming at our corporate IT environments. We did what we were good at: identify a hole in our defense posture, patch the hole and respond if the bad guys got through.

I’m going to bet that many readers have had a more than a philosophical debate with senior management on why we need to repair the walls protecting our corporations.

During these meetings, I’m sure many of you have heard everything from “security costs too much money” to “that’ll never happen here, so why even protect against it?” Ever find yourself gathering your mental defenses, ready to explain the theory and principle behind “Defence in Depth,” “Layered Defences,” or “Defensible Space”? How did management respond? Did you enthrall them with your knowledge and expertise, or did they tune you out and start checking their e-mail?

At senior management levels we’ve had these discussions for a number of years. What we didn’t focus on (or at least not until recently) is appreciating the business reason for going ahead with a project, acquisition, website or product.

Here’s a new paradigm. What if we focused on the principle that business inherently deals with risks daily, and our goal is to support the business. And we’d offer that support by providing senior management relevant, timely and objective assessments of risks facing the organization.
There’s an international standard that does just that — ISO 31000. This standard defines risk as “the impact of uncertainty on objectives.” It’s brilliant in its simplicity, but the potential implications to the security industry are significant.

What this standard describes is a framework for understanding the business context of risk, regardless of industry. It provides an opportunity for security teams (both traditional and logical) to work with business owners and key stakeholders to assess the impact of a threat. We can begin to provide tangible benefits to the organization by working with business units to:
• Understand their business objectives;
• Discuss and appreciate their appetite for risk;
• Determine the potential likelihood and impact if a threat is realized;
• Assess existing controls and determine if they’re adequate for the level of protection the business unit requires;
• Provide recommendations to senior management on the treatment for residual risk; and
• Focus scarce resources on protecting the right assets with the right controls

You may be thinking that this isn’t for you. Assessing risk at an enterprise level is more for the insurance folks, or maybe the accountants. But that’s short-sighted. Incorporating risk management methodologies and providing senior management with advice regarding risks places the security team in a new light. Almost overnight, you’ll shed the perception that we simply say “no.” We become a business enabler, a trusted advisor. We’re not putting up roadblocks; we’re just pointing out the potholes along the way.  

Tim McCreight is the chief information security officer for the Government of Alberta (www.alberta.ca).