For too long information security has been risk-averse. What we actually need to do this over risk strategy that is based on business goals. Sometimes we will accept risk, others we will mitigate or avoid it and in some instances we will stop the risk by not engaging in the activity. The part that seems to be hardest for many people to understand is that sometimes we have to accept risk. What becomes important here is to be able to measure risk. Without adequate metrics and means to capitalize the value of risk we're taking a guess in the dark. That is the riskiest proposition.
Risk is not just about cyber attack. Even limiting risk to information technology, electronic attacks remain a small factor of risk. Hence, security is not about just stopping attackers but rather maintaining an acceptable level of risk which means acceptable level of loss. Yes loss. There are no absolutes and spending too much on security can be more of a loss and suffering an attack.
When thinking about security risk we need to consider more than just cyber attack. In fact, there are many aspects of security the that seem mundane and the commonly overlooked. These are within the realm of management and governance and to be far more critical than the latest product (i.e. toy), such as a new IPS.
Some of the most important but frequently overlooked risk factors of an organization related to information security include:
- a lack of skilled staff
- a lack of training or awareness for personnel
- interpersonal issues between personnel
- poor communication, documentation and updates
- misunderstandings as to the business requirements.
On top of this third-party issues are frequently a major concern. Contractual problems, failure to deliver or live up to expectations or even a markedly different approach to risk the third parties as a major cause of concern.
So next time we start to think about risk is related to information security we need to start thinking holistically. In this we really need to start to consider the entire environment. Hackers are not our sole risk, our biggest risk comes from not understanding our environment. Most importantly, we need to understand the business that we are seeking to protect and understand that sometimes it is necessary to accept risk and that sometimes it is necessary to walk away from a project.