In Information Assurance/Security management we often feel that organizations are not as receptive as we the consultants feel they should to emerging threats. For those of us who follow the incidence of Cyber Threats around the world, there appears to a minefield of risks in everything we do. If we are recruiting a key employee, we worry if he is a mole from the competitor. If we receive an email, we suspect it to contain a virus. If somebody offer freebies, we think it must have some embedded risk. ..In fact we live in a state of constant fear.
On the other hand when as consultants we approach a corporate which we think should jump at our offer of consultancy for risk assessment and mitigation, we are surprised at the cold reception we may recieve. Some managements think that a consultant speaks of risk because of his own benefit and fail to see any counter benefit which the company may have. Some times this doubt stops the very consulting proposal itself and some times it goes beyond into assessment of the pricing of the consultancy service.
While the consultant feels that he is providing a high value service which should reasonably be priced at say Rs x, the corporate intending to buy the risk is not so sure about the value of the service and therefore rejects the offer or provide a counter offer which the consultant decides to pass off.
In the bargain the Company continues to bask in the feeling “All is Well” until disaster hits one day to consume the organization in full.
I was recently reading a literature on a research in psychology where a researcher was testing when will a house fly stop eating. He found that the food which the fly consumes passes through the gullet where there is a nerve which recognizes how much food has passed through. The desire to consume itself is triggered by another nerve in its legs so that when these sensors sense food it will start eating and when the gullet nerve indicates enough is enough, it will stop eating. The researcher continued his experiment by surgically removing the gullet nerve and found that the fly went on consuming food though it bloated the fly to a level where it could burst. This tendency is also found in ants who serve as store houses of food and keep bloating unmindful of its consequences.
This example is very relevant for the Indian Companies when we talk of Information Security risks or ITA 2008 compliance requirements. It appears that the corporates have no means of measuring how much of risk they are consuming and maintain an infinite risk appetite. In the field of financial investments the market is more mature and corporates have some measure of their risk appetite and a sense of how far they can go before they say “Enough is enough” and pull out their risky investments. Unfortunately in the field of “Information Risk” managements donot have the same understanding of the risk environment, the threats and vulnerabilities and therefore fail to take appropriate risk mitigation measures. Even those who have crossed this threshold for various reasons and instituted some kind of risk management measures also may fail to understand the efficacy of “Controls” and be satisfied with “Controls for the sake of audits” rather than “Controls for the sake of security”.
CISOs in every organization therefore have the biggest task of trying to get the attention of the top management to their field of work and often find it the more challenging aspect of their job. The problem with many CISOs is that they are good in their security related knowledge but are weak in public relations or communication capabilities.
I therefore suggest that CISO s should consider “Communication Skills” as part of their required skill sets and keep enhancing their skills through appropriate training on this facet of management from time to time. This could result in a better communication of risk to the top management and ensure that the risk appetite of an organization does not cross the limit of danger.
I invite CISOs to share their views on “What is the risk appetite of my organization?” and share what risk appetite measurement strategies they adopt in their organization.
Naavi
EXCELLENT article, Sir. Hats off.
you have here mentioned a very realistic situation of corporates who are acting like flies/ants with their sensory nerve removed for risks related to information security, compliance and awareness.
as a security pro, we are concerned about the risks that an organization faces, but the management do not have that ‘eye’ and hence this happens and they live in a false security shell.
this difference of views from management and security consultants / pros will remain, unless and until some sensible and technically sound individual from management takes up initiative and work for a cyber secure organization. But the fact remains somewhat far, and the customers whose sensitive data which remains with organizations remains vulnerable to theft and misuse.!
Radical changes must be brought and with that, a huge change of mentality of management is too needed.
How many of us go for a routine medical checkup which is designed to detect at an early stage possible health risks and how many of those who go for annual checkup take this tests because they are well packaged under a simple framework ‘Executive Health Checkup’.
I feel that the current security risk assessment frameworks are designed for comprehensive or detailed risk assessments.
A simple risk assessment framework similar to ‘Executive Health Checkup’ is required in the industry to help organizations to subject themselves for a test and get sensitized with risk and then decide on the appetite.
I agree. It is for this purpose I had developed a framework called Total Information Assurance For Modular Implementation. More information is available at http://www.information-assurance.in/tiaf4mi.html
Fine way of describing, and good post to obtain facts about my presentation subject matter, which i am going to present in university.