IT Risk Management :The Evolving Nature

Peter Cooper, Group Information Security Manager, Woolworths says the value IT can bring "is to do what we do faster. The best value we can bring to our important business colleagues is help business processes. But doing things faster brings new risk".

That means we need to find new ways to manage IT security and risk management in ways that support this new, faster world.

Cooper likens the challenge facing CSOs as being like the difference between gambling and risk management. In his view, about 60% of a company's share price is historical and 40% is expected future earnings. When the stock market trades a particular share, it's really the fluctuation of the 40% that they are gambling with, not the entire share price.

When looking at how a casino operates roulette tables, the difference between the odds of a gambler winning and losing are very small. But the odds are slightly in favour of the casino owner. For the players, winning is a gamble whereas for the owner, there's an acceptance that there may be some losses but for the most part the odds favour them winning.

Traditional IT management

Cooper used the example of a rock climber to highlight active risk management. Although rock climbing might look like a risky activity, a well-equipped climber uses strong ropes and other equipment. Although these might be heavy and cause some impedance to the climber, they offer a balance between the danger and benefit.

In contrast, Cooper compared this with a tandem skydiver. With the tandem skydiver, the risk is shared between the leader and "passenger".

However, the rock climber has full control but bears all the risk. There's also a significant effort involved in becoming a competent rock climber whereas a tandem skydive requires little preparation.

When it comes to risk management, Cooper sees a shift towards finding partners with whom to share risks rather than doing it all ourselves. He sees the tandem skydiver becoming a model for the future rather than a complete do-it-yourself model like the rock climber.

Moving forward

Part of this transition is a shift from being builders of systems to brokers of services - we need to change our IT risk management accordingly. One place IT security practitioners can start is by looking at their KPIs. Cooper asked the audience how many had a KPI measuring security as an enabler and how many had data protection as a KPI.

The results of this informal survey comprehensively showed that companies are still focussed on risk management as a blocker rather than an enabler. Cooper sees this as a conundrum for CISOs and CSOs. Businesses want to embark on new activities and take some risks in increasing their markets but there is a reticence by security professionals as their KPIs don't reward enabling, but potentially risky, behaviours. There's a need to find a balancing point between the two postures that Cooper is not seeing amongst his peer network.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT risk managementmeasuring securityrisk preparationbenefitPeter Cooper (ISM Woolworths)riskCISOsCSOmanage IT securityBusiness Processesnetworksystems managementsystemssecurity and risk management

More about CSOEnex TestLabWoolworths

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place