Information Security and Risk
Should information security (or cyber, if we follow the latest fad) be based on risk? What is that risk, is it risk to the information or other IT resources, or is it risk to the business?
I congratulate John Pironti and Dark Reading for the intelligent perspective in a short video interview.
Two points stand out for me:
- The investment in information security/cyber should be based on the risk to the business and the achievement of business objectives.
- Information security professionals need to talk to the business in the language of the business – which is risk and performance. That means that the CISO and team need to understand the business objectives and how a failure in cyber might impair the ability to achieve them.
Information security professionals will be able to get and retain the attention of executives when they are able to explain how investments in information security help managers and the business as a whole succeed.
While information security professionals should continue to advance their understanding of technical issues, most need to upgrade their understanding of the business and business risks. Risk management guidance, such as the ISO 31000:2009 global risk management standard, should be required reading in addition to business and technical journals.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Information security & cyber security are not the same. cyber security involves anything security-related in the cyber space. cyber security is subset of information security. cyber security is there for long time & has become latest fad as cyber attacks are increasing & have become complex due to increase in access to internet through mobile, wireless, IoT. without performing risk assessment of IT assets & its impact to business information security risks cannot be reported as for both qualitative & quantitative risks assessment risk to Information & its business impact is always taken into consideration so info sec pro need to understand business impact.
ISO 31000 is definitely useful ERM standard to know & follow however there are other risk management frameworks which can be considered such as
NIST 800-37
It has been my experience that most information security professionals (including cyber security – thank you, Malurao, for that distinction) are quite familiar with risk management. They have an advantage in that the value of business information can be estimated. Any attack on the network has the potential to steal everything, corrupt everything, or destroy everything. OK, we have the very definition of “high impact” established. The problem that they face is that there is very little evidence they can use to support an assessment of the likelihood of any given attack, and the number of possible attack vectors is huge and growing.
And while I agree that the technology sector needs to be able to speak in terms that the business uses and understands, it is equally incumbent on the business owners to learn what technology is being used and what terminology describes it. Communication is, after all, a dialog and that means it takes two to communicate.
Cyber security threats are going to continue to grow in the coming years, so it’s highly essential that companies start securing their entire digital infrastructure, which begins by putting in place information security policies and procedures, provisioning and hardening of such systems, and then undertaking comprehensive security awareness training for employees. Call it the 3-point stance for protecting your organization. The problem is that most companies have (1). Outdated policies (2). Don’t have formalized procedures and checklists for hardening their information systems, and (3) do little or nothing when it comes to security awareness training. This won’t cut it in today’s world, so it’s time to get serious about information security.