In the world of business, risk — for all its uncertainty — has a rulebook. In fact, the financial and insurance industries have built an entire discipline around predicting the chance of an injury or loss, protecting against it and reaping the benefits if bad things never happen. The rules are the principles behind risk management, and they’re fuelled by the raw data of financial statements from public companies, complex actuarial tables of past events and decades of academic rigour.
Information security, however, is a whole new game in which the economic goal is clear: Spend the smallest amount of money necessary to protect the enterprise. Win in a photo finish.
But how? Companies have a hard enough time counting how many cents they’re spending to protect how many dollars, never mind calculating the damage from an employee who inadvertently (or not) reveals company secrets or the value of the training that might prevent such an occurrence. Security’s only reward — if you could call it that — is that weaker competitors are often the ones plagued by such mistakes and miscreants. But because companies are reluctant to talk about either their best practices or their breaches, it’s hard to know exactly where the competition stands. With numbers fuzzy and the payoff vague — nothing bad happened to us today, thanks — risk management in information security has traditionally had a different meaning than it does for the rest of the business community.
But all that is about to change.
As information security — and along with it the emerging CSO role — rises in prominence, so too does the need for practitioners to apply traditional theories and models of risk management to information security — to put structure around the process of mitigating risks, accepting some of them and transferring others to third parties.
In the coming years, the information security community has the chance to work with auditors, economists, accountants, lawyers, insurance companies and a bevy of other experts to find ways to put structure around the money spent on information security. The ability to join in this dialogue is vital. For your business to survive, you have to play the game of risk. If you want to win, then help write the rules.