Opinions

There's a reason companies are asking CIOs to solve a new kind of security risk every time they turn around. Business continuity threats, data breaches, malicious code and stolen laptops all have one thing in common - they're the price of information technology's success. Information security is an issue because most of our core business processes incorporate IT, and technology has started to break down the stovepipes that used to protect corporate data.

CIOs have always had to prioritize risks when deciding how to allocate resources. What's different about information security risks today is the uneven ability of CIOs and their business partners to assess them. Every company faces a different mix of security risks. And every one has a different set of information advantages and disadvantages - call this risk intelligence - for assessing each of those risks. IT executives have no choice but to sort out which security risks are big, which ones are small and, most important, which ones they and their colleagues are not very good at evaluating.

This last challenge is new. The methods for estimating the size of a risk usually involve polling business partners to determine the worst-case loss they expect in a given period of time. But CIOs still have to evaluate how accurate these assessments are. One company may know from experience how information integration can compromise records. Another might have learned what a data breach costs. But it would be a mistake to assume every company, or even every business leader within a company, has the same ability to assess the likelihood or impact of fast-evolving threats. So a critical new step in allocating resources for security risks is to determine which ones your organization is good at assessing before you rank the risks and estimate how much it would cost to mitigate each one.

How to Assess Risk Intelligence

To assess your risk intelligence, ask yourself these five questions for each major security risk you face.

• How frequently do you have experiences related to the risk you're evaluating?

• How surprising are these experiences?

• How relevant is your experience to the risk you're evaluating?

• How diverse are the sources of information about the risk?

• How methodically do you track what you learn from past experience about mitigating risks

Score your answers on a scale of 0 to 2, where 0 means you and your business partners have less understanding about this risk and its contributing factors than others on your list; 1 means your understanding is about average; and 2 means you understand it better than other risks. Add up your answers for all five questions. Scores fall between 0 and 10; 5 means you think your ability to weigh a risk is average across the five factors. It doesn't matter if you're a tough or an easy grader: What you're doing is ranking your risk competence.

Now rank your organization's information security risks by their risk intelligence score. You may want to allocate more mitigation resources to the ones that score the lowest, because these are the ones you are worst at assessing. For larger companies, it may be important to score the risk intelligence of each business unit facing a single risk. In this way, you can figure out which business unit has the clearest understanding of the threat, though you may still allocate more resources to the unit that scores the lowest.

By the way, this is the opposite of the conclusion you'd draw for elective projects. It makes sense to pursue discretionary projects that pose risks we're good at assessing. But when the risks are unavoidable, the question is different. We need to focus on the risks - or the parts of the business - where we're most likely to make a mistake.