Risk is a highly variable concept. The way risk is perceived is dependent on the individual person’s perspective and understanding of risk. Often, a conversation around risk evokes an emotional response from those involved. For example, have a conversation with your significant other about the risk factors associated with the possibility of losing your job during this pandemic. This will most likely result in an emotional response.
Using the same example, when contemplating the possibility of losing your job, what level of information do you feel is necessary to obtain to make decisions for something as serious as providing for yourself and your family? Do you need to run down every single detail or are general ideas by category more your speed? It is exactly the same for decision-makers in a business. But what if they don’t have the time to run down every detail? What if the information available or the process to obtain it is not that great? A lack of visibility creates a lack of risk clarity.
Ask any entrepreneur and they will tell you that starting and running a business is an exercise in risk management. Executing on a business plan is the continual practice of minimizing unknown risk to make decisions and commit resources to create business value. What happens if the business leader, through no fault of their own, is not presented with a true picture of the risks facing the business? Most people will agree that it is their responsibility to seek out and understand those risks. Do they get a free pass because they do not understand certain types of risk that could negatively impact the very existence of their business? It is possible to approach risk in a way that minimizes naturally occurring blind spots.
Enterprise Risk Management (ERM) serves this function and is described as the methods and processes used by organizations to manage risks and seize opportunities related to their objectives. ERM formalizes how an organization considers all types of risk and provides pre-planned mitigation and responses if the risks are realized.
Drilling deeper into the risk landscape, we move into two areas that require precision in how we define them. Information Systems (IS) are defined in the ISACA Certified Information Systems Auditor (CISA) body of knowledge as the “combination of strategic, managerial, and operational activities and related processes involved in gathering, processing, storing, distributing, and using information and its related technologies.” Now, I don’t mean to bore you with official definitions, but it is necessary to differentiate between two terms that tend to be used interchangeably. Information Technology (IT), according to the CISA body of knowledge, is the “hardware, software, communication, and other facilities used to input, store, process, transmit, and output data in whatever form.” To drive the point home directly, the concept of Information Technology is contained under the umbrella of
Information Systems. Why is this important?
Over time, IS and IT have come to be used almost interchangeably. It is ever important to distinguish the two when discussing the risk. IS encompasses people, process, and technology, while IT refers only to technology. When assessing an organization it is critical to evaluate it through the lenses of people, processes, and technology. Each area relying on the other with no one more important than the other. The cybersecurity industry relies heavily on technical tools in its approach to its mandate. It can be said that it may rely too much on technology or is too heavily focused on technical solutions. This may be a function of the effectiveness of product sales teams or the nature of the origins of cybersecurity job roles and qualifications. That would be the subject of a different blog post.
All of the above to say this: you must take a holistic view of risk as defined by the area of Information Systems, such that people, process, and technology have an equitable accounting. Most organizations today possess a technology bias when assessing their risk. What type of firewall am I using? Does my SIEM use artificial intelligence (AI)? Although these are very important questions, there are opportunities to drill down into each of them. What process do we use to update the firewalls so we don’t create an outage by blocking all connections accidentally? Who is allowed to update the firewall and how do we make sure that person is updating is correctly? How do we make sure our use of AI only benefits our organization and does not hurt us? Who has the authority to make changes to the AI logic in our
SIEM and how is that access controlled?
In summary, when you consider risk, consider the people and how they are involved, the processes necessary to govern and execute, and the technological solutions that support controlling that risk. I believe the cybersecurity industry is improving its overall approach to risk management, but it also has a long way to go. Start the risk discussion with your business partners. Understand their goals and explore the risks that are created by pursuing them. This creates the foundation of the risk profile for your organization. — David Malicoat, CEO, and Founder