In one of Coach's blogs, he mentioned that 2011 was the "Year of the Breach" and as risk management professionals, we should do what we can to make 2012 the "Year of Security" (Jan 4, 2012). However, according to Financial Times, that may be easier said than done (Risk Managers' Uphill Task).
"The importance of risk management will increase in 2012, said more than 90 per cent of risk managers in a survey, but the biggest challenge they have is demonstrating the value of risk management."
This means that if you are in risk management or information security, you are simply an adviser. In reading "IT Risk: Turning Business Threats Into Competitive Advantage, the authors stated that risk management is not just one department's job, but should be integrated into the organizational culture of an organization so it is merely part of the job. The Financial Times seems to agree:
"The risk managers agreed the single most important development for risk management would be a change in organizational cultures that led to a better defined risk appetite."
Another article also stressed the importance of CISOs to impress on their organizations that security is no minor concern (EC-Council Encourages CISOs To Adopt A New Risk Management Process To Prevent Information Security Breaches).
"The damage created by the highly publicized security breaches in 2011 has many Chief Information Security Officers (CISOs) seeking alternative ways to create strategies to manage risk. A new risk management process called Business Wargaming will help the CISO forecast future scenarios and build better proactive and reactive strategies."
Business wargaming allows a CISO to not only prevent the most common breaches, but enables the CISO to predict and prevent future breaches. This is because with the new technology such as smart phones, iPads, Cloud technology, and such, the conventional way of risk management is no longer as effective.
Want to know more about wargaming? Click here: Wargaming For Chief Information Security Officers.
While it may take some upper management outside the realm of IT some convincing that information security is as important as customer satisfaction and sales, the one thing that I have run into isn't that kind of apathy, but rather ignorance of information security all together.
When working with Sears, the owner didn't even know that information security existed and became the victim of refund fraud. During a recent job interview, I was almost not hired because the interviewer thought that cybersecurity was for organizations like the military and DoD and thought the base would snatch me up. He did not know that cybersecurity was for everyone from the PC at home to government top secret classified information.
Perhaps information security's worst enemy is ignorance, not apathy. One thing is for sure, both is a recipe for disaster for any organization. It's our job to hit these organizations with the 2 x 4 of truth before the 2 x 4 of reality hits. We do this by closing the language barrier and segregation of positions. Upper management needs to be tightly connected to IT and IT tightly connected to upper management so that security becomes an organizational culture. While they are connected, they can both focus on the same objective of that organization, but instead of competing for resources, they become cohesive and aiming at the same objective in their own ways.
References:
Grene, Sophia. (2012, February 4). Risk Managers' Uphill Task. Retrieved from http://www.ft.com/cms/s/0/8926d1b0-4e5b-11e1-aa0b-00144feabdc0.html
PRWeb. (2012, February 6). EC-Council Encourages CISOs To Adopt A New Risk Management Process To Prevent Information Security Breaches. Retrieved from http://www.prweb.com/releases/prweb2012/2/prweb9169249.htm
Westerman, George and Hunger, Richard. (2007). IT Risk: Turning Business Threats Into Competitive Advantage. Boston, Massachusetts: Harvard Business School Press
No comments:
Post a Comment