2016 retrospective – 8 scary predictions that came true
December 23, 2016
Show all

Impact vs. risk: information security measurement for agile organizations

Successful information security organizations are often invisible; security is a pervasive but not onerous part of the company culture, process, and technology.  Data, people and other important assets are protected, but still dynamic.  Does this sound like your company?  Probably not … unfortunately, this agile organizational mecca is rare.  Too many information security organizations have a philosophy of “risk elimination”, which leads to the proliferation of granular risk measurement process and tools that require significant resources to maintain.  While the end goal is noble, it’s also impossible, and overly detailed risk measurement has little practical benefit.

“Risk elimination” also runs counter to the goals of information security’s business partners (such as product development, customer experience or finance).  It’s why 71% of non-IT executives in a 2016 Cisco study said that concerns over cybersecurity are impeding innovation in their organizations.  Despite this industry sentiment, it is possible to be agile, risk-oriented and security-savvy.  The journey begins with a simple mindset shift – instead of measuring risk, leverage business impacts for a broader view.

Start with the standard risk model:

Risk = likelihood x impact

Where likelihood looks at threats and vulnerabilities, and impact looks at business consequences. Likelihood can be measured by a blinding array of technical metrics; numerous big data solutions claim to predict risk on this basis.  The data takes time and resources to gather, analyze and share, and often remains too technical to be meaningful to the executive suite.  It may feel good to have something to report on, but technical metrics don’t answer basic questions like “How are we doing?  Can I be confident my company is digitally secure?”.

Impact, by its nature, implies an understanding of a company’s business objectives, risk appetite and business model.  Non-IT executives could describe to you how important things like privacy, revenue or reputation matter to their company.  Information security requirements implicitly address impacts – however the connection between the two needs to be made explicit. Once linked, it’s easy to understand how your information security organization’s activities line up against what matters most to your business.   This knowledge can also be used to generate a set of business-driven goals and activities for an information security organization.

This approach has a few advantages – the most important being that it’s easy to do, it assures non-IT executives that information security activity aligns with their business objectives, and are targeted in such a way that productivity improves and innovation can occur.  Whether your company is deep in a risk elimination black hole, or looking for a place to start, beginning with a review of impacts against information security activities will provide direction and improve communication across the board.