Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Get Smarter About Security Risks

How much you should invest in protecting corporate data depends on how good you are at assessing the threat
Page:

There's a reason companies are asking CIOs to solve a new kind of security risk every time they turn around. Business continuity threats, data breaches, malicious code and stolen laptops all have one thing in common - they're the price of information technology's success. Information security is an issue because most of our core business processes incorporate IT, and technology has started to break down the stovepipes that used to protect corporate data.

CIOs have always had to prioritize risks when deciding how to allocate resources. What's different about information security risks today is the uneven ability of CIOs and their business partners to assess them. Every company faces a different mix of security risks. And every one has a different set of information advantages and disadvantages - call this risk intelligence - for assessing each of those risks. IT executives have no choice but to sort out which security risks are big, which ones are small and, most important, which ones they and their colleagues are not very good at evaluating.

This last challenge is new. The methods for estimating the size of a risk usually involve polling business partners to determine the worst-case loss they expect in a given period of time. But CIOs still have to evaluate how accurate these assessments are. One company may know from experience how information integration can compromise records. Another might have learned what a data breach costs. But it would be a mistake to assume every company, or even every business leader within a company, has the same ability to assess the likelihood or impact of fast-evolving threats. So a critical new step in allocating resources for security risks is to determine which ones your organization is good at assessing before you rank the risks and estimate how much it would cost to mitigate each one.

How to Assess Risk Intelligence

To assess your risk intelligence, ask yourself these five questions for each major security risk you face.

• How frequently do you have experiences related to the risk you're evaluating?

• How surprising are these experiences?

• How relevant is your experience to the risk you're evaluating?

• How diverse are the sources of information about the risk?

• How methodically do you track what you learn from past experience about mitigating risks

Score your answers on a scale of 0 to 2, where 0 means you and your business partners have less understanding about this risk and its contributing factors than others on your list; 1 means your understanding is about average; and 2 means you understand it better than other risks. Add up your answers for all five questions. Scores fall between 0 and 10; 5 means you think your ability to weigh a risk is average across the five factors. It doesn't matter if you're a tough or an easy grader: What you're doing is ranking your risk competence.

Now rank your organization's information security risks by their risk intelligence score. You may want to allocate more mitigation resources to the ones that score the lowest, because these are the ones you are worst at assessing. For larger companies, it may be important to score the risk intelligence of each business unit facing a single risk. In this way, you can figure out which business unit has the clearest understanding of the threat, though you may still allocate more resources to the unit that scores the lowest.

By the way, this is the opposite of the conclusion you'd draw for elective projects. It makes sense to pursue discretionary projects that pose risks we're good at assessing. But when the risks are unavoidable, the question is different. We need to focus on the risks - or the parts of the business - where we're most likely to make a mistake.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Information Integration, Security Systems

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Oracle x86 Rack Servers Optimized for Rapid Deployments and Operational Efficiency
    Business-critical and mission-critical workloads — demanding applications and databases — require stable and secure environments. When these types of workloads are deployed on x86 servers, the need to ensure business continuity, maximum uptime, and consistent processing means that IT managers and business unit managers are looking at enterprise x86 servers in a new way: They realize that the business depends on these servers and that x86 server platforms for the enterprise are no longer expendable, as they might have been when servers were dedicated to a single application — or when they were deployed as small Web servers that could be easily taken offline and replaced.
    Learn more »
  • Shedding Light on Backup and Availability Challenges in Virtual Environments
    This IDG white paper explores specific backup and availability challenges organisations must surmount as they move to virtualise their business-critical applications. It then shows how attaining proper service levels for these applications requires a high degree of visibility into the VMware virtual environment.
    Learn more »
  • Developing an Information Strategy - Strategize, Align, Govern, Execute, and Optimize
    An information strategy defines how a company will use the data it collects to achieve a competitive advantage. It is a comprehensive, constantly evolving plan that encompasses five distinct actions. In this white paper we explore how these five vital actions, as well as the technologies that enable and support them, can help organizations develop an effective and broad-reaching information strategy that drives positive change.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.