Security risk management and investment depends on getting buy-in from top management, says Sharvind Appiah, chief information security officer at transport and logistics firm Geodis.
“Top management must understand what they need to protect, to what extent they need to protect it, and what investment is required to achieve that,” he told Computer Weekly.
Evaluating threats and assessing risk is key to driving security strategy, prioritising controls and driving resource allocation.
The best approach to getting the necessary executive support, said Appiah, is to express cyber risk only in business terms.
“This typically means looking at each cyber risk in terms of the potential impact it will have on business processes or at the business impact that losing a particular IT or data asset will have,” he said.
In this way, it is relatively easy to attach a financial value to the cyber risk under discussion and justify security investment by comparing the potential losses with what needs to be spent on cyber defence.
Read more on Infosecurity Europe 2014
However, this value remains hypothetical and Appiah would like to see more research in this area to give information security professionals a standardised way of calculating cyber risk in financial terms.
“The problem that most organisations encounter is that risk management from an IT perspective is not yet as mature as other areas such investment risk assessment, for example,” he said.
Establishing a standard way of expressing cyber risk would make it much easier information security professionals to put together business cases for security projects.
But in the absence of such a standard approach, Appiah suggests information security professionals look to the financial sector for guidance on ways of evaluating risk and expressing it in monetary terms.
In practice, this means creating an awareness of risk among people in the business, because it is they who have to take ownership of the risk.
“Although challenging, as it typically involves cultural change, it is important to identify clearly who the risk owners are in an organisation,” said Appiah, but again, this process requires executive support.
This risk ownership approach creates a sense of responsibility for the risk owner to work with the owners of all the assets involved in supporting a single process such as invoicing.
More on risk management
This approach ensures risk management is much more tightly aligned with business processes and highlights the interdependencies of the IT assets involved, said Appiah.
But the problem remains that there is no standard way of quantifying the cost to the business if any supporting IT systems were to fail, he said, underlining the relative immaturity of the field of cyber risk.
Currently, Appiah believes the most effective way of tackling the challenge is to look at the objectives of the business and identify what is most critical in terms of processes and resources.
“This helps to identify what needs to be protected and assigns a priority ranking, and that can be used as a starting point for driving a security strategy.
“Once you identify the area you need to have more focus, the next step is drill down to identify the risks and the risk owners to help align security with whatever is most critical for the business,” he said.
Appiah is to take part in a panel discussion on risk and control: effective risk assessment methodologies to drive security strategy and investment at Infosecurity Europe 2014 at Earls Court London, 29 April to 1 May.
He is to be joined by moderator Dave Clemente of the Information Security Forum and fellow panelists: Vicki Gavin of the Economist Group, Paul Haywood of GE Capital and Thom Langford of Sapient.