Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Infosec 2013: There is no such thing as information security risk

CISOs need to align their security strategy with their business goals, claims panel

Article comments

There is no such thing as information security risk, according to a panel of security professionals speaking at the Infosecurity Europe 2013 conference in London; the only risk that matters within any organisation is the risk to the bottom line.

Serge Baudot, head of information security and business continuity management at easyJet, explained that one of easyJet's most important assets is its reputation. The organisation is therefore constantly looking for ways to protect its reputation, and has identified about 12 events that would cause it serious reputational damage. 

One of these events is a major IT systems failure, and information security, disaster recovery and business continuity all help to mitigate this risk. However, none of these solutions hold any significance individually, except in the context of their ability to mitigate the primary risk of a major IT systems failure.

This is an important point for chief information security officers (CISOs) to remember when discussing information security budgets with the board, according to Baudot. If the strategy or technology that you are trying to sell to the board can be related back to mitigating one of these primary risks, then you are onto a winner.

“I've been lucky enough to have direct access to the board on several occasions, and they are very much running the business by risk,” he said. “I think the best approach to selling risk is throwing the text book out of the window and asking, what is it you're trying to protect ultimately?”

Michael Paisley, head of operational risk at Santander, reinforced this point, claiming that the focus of the IT department is too often on how risk management is going to improve information security, rather than what information security going to do for risk management.

“The only reason we do information security is to manage the risk of the organisation,” he said. “We are all risk managers, whether you consider yourself to be or not, so the question to us is, do we actually understand what we're trying to achieve when we talk about risk assessment?”

Paisley added that a good information security expert, does not necessarily make a good risk analyst, and organisations need to realise this. The best way to manage risk is to have blended teams that can both identify the potential risks and implement the solutions needed to mitigate them.

He recommended moving away from risk registers, which reduce risk assessment to a tick box activity. By tackling the problem holistically, security professionals are much more likely to get buy-in from the board.

“If you've got a risk register of 20, 30, 40 individual risks, the chances are that they are all going to be far too low, you're not going to get any buy-in from anybody because you're really not talking about anything that is a risk to a big organisation – not when you've got projects going through that are £300 million, £400 million projects,” said Paisely.

“It's critical that you look at things from the perspective of, what are the events that will crucify us? And they're the ones that you do risk assessment on. Most other things you do risk management, and you probably do it via a practice-based approach.”

Amar Singh, CISO at News International, added that risk articulation is still a challenge within IT, and this is partly down to the use of risk registers. He said that it would be better to give the security professional the opportunity to build a narrative, and explain the cause, event and effect.

However, Pailsey warned that risk assessment will never enable organisations to predict the future. Instead it should enable organisations to get to the point where their assessment process takes account of the uncertainty, and attempt to understand the probabilities associated with it.

“It's finding out what you business goals are, and aligning your security strategy with them,” concluded Forrester analyst Andrew Rose. “It's very empowering for security professionals to align their information security and your business strategy. It overcomes so many problems.”


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *