Companies that perform traditional risk management use a business impact assessment to gauge the risk a project will introduce into the business. The engagement between security and business is measured in information security concepts rather than business terms. Could this be why data loss constantly makes the headlines?
The field of information security can be seen as the team who likes to police projects without providing useful advice and, therefore, not only risks alienation but lacks influence. Nowadays, business owners are asked to undergo a process that focuses engagement too heavily on what can go wrong. This process determines how much information security involvement is required.
This is self-selection in that business owners will respond in a way that meets the goals of shortening their time-to-market without necessarily addressing the risks that a security professional would want. If you think of the questions that are asked on an immigration form, your answers tend to be skewed on what you believe will get you through the gate and into your hotel in the shortest possible time.
Are business impact assessments seen as just crude tools for weeding out problem projects? Are confidentiality and integrity suitable ways to measure the success or failure of a project when making the business concept work was all that was considered?
A future approach
Perhaps it is time that the traditional model for capturing confidentiality, integrity and availability is replaced by tracking where data is actually used. This could be done by asking business owners to mark out how data flows across an organisation against a popular business model. You might even use standard controls for projects where data does not leave the company and does not include storage of personally identifiable information. Application reporting (excluding financial) and monitoring facilities are examples where agreeing in advance on acceptable flows of information gives better service to the business by speeding up the process to decide which projects get the most attention.
The whole process has to be tailored to the organisation and be adaptable to the local cultural problems associated with a global company. If the results of a business impact assessment are framed on a spectrum compared to other projects in the same business unit then this can be used to affect appropriate controls.
If the correct information is captured at the appropriate time in a manner that's relative to experience, then the outcome is right for both sides. Otherwise business impact assessment risks becoming abandoned in favour of a reactive approach driven purely by incidents. Business owners are already afflicted by information overload.
Only once business impact assessments address the legitimacy of business activities by examining the underlying models will we move away from being policemen to proponents of business in getting the most that technology can deliver.