Information security professionals must work with their boards to make sure data security risks are in line with their organization's overall risk profile, according to a panel discussion at this year's Infosecurity Europe show.
Risk management, the panel found, should not be left as a technical discussion. Instead, information security teams need to consider financial, operational and reputational risk, and how those risks "cascade" through the organization.
Businesses need to consider the degree of uncertainty that they are willing to tolerate, and also the impact of any possible security breaches. Just as it is impossible to provide complete security, is not possible to eliminate all risks. So businesses need to balance the consequences of taking those risks, with the consequences of a failure.
As a result, panelists reported that they are taking different approaches both to assessing and mitigating risk.
At Santander, Michael Paisley, head of operational risk, said that he uses Monte Carlo simulations to narrow down the number of risks the business need to focus on.
"Simulation allows us to experiment with the randomness of what you are uncertain about," he said. He also takes a data-driven approach to risk assessment. It helps that Language business customers understand the ideas of simulations and modeling, he added.
At easyJet, Serge Baudot, head of information security and business continuity, said there are two high-level risks that his business faces: the inability to fly, and the inability to sell. "If those are the controls I am trying to sell to the board, they have to listen to me," he said.
But, he added, every organization has a different risk appetite, so although easyJet uses systems such as ISO27001 as a starting point, it then uses gap analysis to see how its risk appetite translates into specific projects.
At OFGEM, Bob Mann, CSO, agreed that often risk appetite and security or risk management systems are not as well aligned as they could be. Although boards have an overall understanding of risk, he said that IT security teams need to work with the business to narrow down the real risks it faces from the "hundreds or thousands of possible events". It is easy, he warned, to provide business users and boards with too much detail.
Instead, at OFGEM Mann relies on simple questionnaires for line of business managers, and business impact assessments. "That joins up business and IT requirements," he told the conference.
For News International, CISO Amar Singh warned security professionals not to "rely on fear, uncertainty, and doubt".
"If you can't convince the board that it is a risk that relates back to them, it is a hard sell," he said. "You have to correlate it back to the 10, 12 or 20 board-level risks."
And Andrew Rose, principal analyst at Forrester Research, said that effective risk management, and effective security, is only possible if security teams work within that risk framework.
"Business has a strategy, and business knows what its goals are," he said. "It is aligning your information security and your business strategy: that will overcome so many problems. You should understand where the business is going, and leverage that in your risk assessment process."