Solid business acumen skills are an absolute requirement in information security today. Along with having the ability to develop business cases and manage budgets, though, security professionals also need to know how to communicate risk to business leaders.
Since information security is one of many areas of risk in an overall business equation, the goals and objectives of security are potentially competing with others for resources, capital and awareness. By leveraging business skills and adopting a common language to communicate risk, you can help business leaders understand the concerns and thereby increase your chances for gaining consensus.
Of course, it is not possible to develop a standard set of risk categories that would fit every financial organization. Each company has its own specific methods of measuring risk and risk absorption. Some financial organizations take into account the following:
Technology risk: reflects the effects of technologies that change or evolve in ways different from those expected
Legal risk: changing laws and regulations
Commodity risk: price changes in commodities and services that are used or produced disproportionately by a specific industry
Location risk: where you are physically located and secondary interests
Government risk: the type of government in which businesses operate (communism, democracy, etc.)
Since it is important to map out the risk terms and categories used by your financial organization and build your risk assessments reports using those terms, it is necessary to understand some of the key fundamental terms that can be used across all industries.
There are some basic, fundamental terms that can be used to universally communicate risk and to align it to the business processes.
Probability: the likelihood of a risk occurring
Impact: the consequence if a risk does occur
Proximity: how close you are to a risk
Period: the time window where a risk can increase or decrease
Control state: the current state of controls to mitigate risk
Residual: the risk that remains after controls have been implemented
The key to communicating risk is to first learn your business and determine how information security risks roll up into the risk terms used by your organization, which could be industry-specific or the fundamental terms above. These terms can be used as building blocks in developing the business case for communicating risk. But don't stop there.
It is important to make the information security risk areas align as close as possible to the specific business risk areas that your organization typically uses. If the business uses industry-specific categories or even the fundamental terms, roll up the information security risks into the ones that fit best. Resist adding new categories, or expanding the business terms and categories because it can introduce confusion and thereby potentially cause rejection of your goals.
Risk is measured in fundamental terms of impact and probability. Many traditional risk assessment practices combine these two measurements. The danger in relying on the comparison is that a high-impact risk that is believed to have a low probability could be considered an average risk. Many may inaccurately assume that since a particular incident hasn't happened in the past that it will never happen in the present. Information security professionals must not compromise their position on charted risk until they gain consensus and accountability from the business leaders.
Proximity and period risk are two terms that are very important in preventing any security disasters. Period risk refers to a condition within a certain window of time, such as an end of quarter close or a hurricane season. The proximity of the risk is in direct relation to how insecure a condition becomes as a particularly risky time period approaches. Some examples of proximity risk include a building located near hurricane zones or increased accounting activity before quarter close. By including these terms in your risk definition, you can mitigate the risk proactively, thereby managing it at a fraction of the impact cost.
Control and residual risk work together in measuring the current state of the controls in place to prevent or reduce a certain risk. Of course, residual risk is the condition or exposure your company has if the controls fail or do not completely mitigate the risk. The balance between business agility and cost effectiveness rests with how well the control state can be leveraged to reduce residual risk. These elements are important to include in risk assessments since residual risks will always impact the bottom line in some form or fashion.
By using these key, fundamental terms to describe information security risk in business objectives, you will begin to speak a common, universal language that can be understood. As the business goals change and integrate into real capabilities, you will become a partner at the risk table and be able to incorporate sound security practices much earlier in the business process.
About the author:
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology, which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for GE Financial Assurance, CISO for Genworth Financial and served in information technology leadership roles within Hunton & Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at firstname.lastname@example.org.