Infosec 2013 – The Bottom Line

07 May 2013


Posted by Thaslima Begum

According to a panel of security professionals speaking at the Infosec Conference in London last week; the only risk that matters within any organization is the risk to the bottom line.

Serge Baudot, Head of Information Security easyJet, explained that one of easyJet's most important assets is its reputation. The organization is therefore constantly looking at ways to protect its reputation, and has identified 12 events that could cause serious damage.

One of these events is a major IT systems failure and Baudot believes information security, disaster recovery and business continuity all help to mitigate this risk. However, none of these solutions hold any significance individually, except in the context of their ability to mitigate the primary risk of a major IT systems failure.

According to Baudot, this is an important point for chief information security officers (CISOs) to remember when discussing information security budgets with the board. If the strategy or technology that you are trying to sell to the board can be related back to mitigating one of these primary risks then you are onto a winner.

“I've been lucky enough to have direct access to the board on several occasions, and they are very much running the business by risk,” he said. “I think the best approach to selling risk is throwing the text book out of the window and asking, what is it you're trying to protect ultimately?”

This point was further reinforced by Michael Paisley, Head of Operational Risk at Santander who claimed that the focus of the IT department is too often on how risk management is going to improve information security, rather than what information security is going to do for risk management.

“The only reason we do information security is to manage the risk of the organization,” he said. “We are all risk managers, whether you consider yourself to be or not, so the question to us is, do we actually understand what we're trying to achieve when we talk about risk assessment?”

Paisley added that a good information security expert, does not necessarily make a good risk analyst, and organizations need to realize this. The best way to manage risk is to have blended teams that can both identify the potential risks and implement the solutions needed to mitigate them.

He recommended moving away from risk registers, which reduce risk assessment to a tick box activity. By tackling the problem holistically, security professionals are much more likely to get buy-in from the board.

“It's critical that you look at things from the perspective of, what are the events that will crucify us? And they're the ones that you do risk assessment on. Most other things you do risk management, and you probably do it via a practice-based approach.”

However, Pailsey warned that risk assessment will never enable organizations to predict the future. Instead it should enable organizations to get to the point where their assessment process takes account of the uncertainty, and attempt to understand the probabilities associated with it.

 Your basket
Your basket is empty