Applying risk management principles to information security is typically a challenge, but this is largely due to incorrect perceptions by the business, said News International CISO Amar Singh.
“The minute you mention risk management, most business people think of having to fill in a risk register in the form of a spreadsheet, which most people dislike,” Amar Singh told Computer Weekly.
Singh is on a mission to move beyond this perception by introducing risk management “by stealth” in his organisation.
“Communication is my main modus operandi, my weapon of choice,” he said.
By talking to every business manager about risk in every context of the business, not just IT, he offers expertise and support for whatever form of risk management they want to adopt.
“Picking up the admin involved provides an opportunity to introduce the concept of a risk management framework, which makes managing risk part of business as usual,” said Singh.
He believes this is much more effective than kicking off a big project to adopt a risk management framework across an organisation.
Singh also believes it is important to encourage people to think about opportunities as well as risks, such as the opportunity to introduce secure software development processes to mitigate application risk.
By enabling everyone to contribute to identifying risks and opportunities, he has been able to get much better engagement from people in the business.
“The minute anyone mentions the opportunity angle, the uptake increases because people feel they have a stake in what they are doing rather than just identifying problems,” said Singh.
While it is necessary to have a risk management policy and process guide in place to provide the necessary framework, that should not be the starting point, he said.
According to Singh, one of the most obvious benefits of a risk-based approach to security is that making a business case for investments at budget time is much easier.
More on risk management:
It is difficult to get budget for “addressing software security,” but relatively easy to get budget for technology that reduces or eliminates the risk of a £2m fine for poor software security practices, he said.
“A risk-based approach enables IT security professionals to articulate the need for investment or other action in terms that the business is better able to understand,” said Singh.
Information technology underpins just about everything people do in business today, he said, which also provides an opportunity to engage with everyone across an organisation and get buy-in.
Support from the top is also vital.
“If you have a mandate from the CEO, you will have the ear of everyone below, and they will be far more likely to be willing to act based on risk."
Another key component is to develop key performance indicators, as Singh is doing at News International.
“This is very useful in justifying big projects and demonstrating how security can make a difference to the bottom line while keeping technology out it,” he said.
The ultimate goal should be managing risk, not just putting risk in a spreadsheet. “There must be a proper framework in place to address risk fully,” he said.
Singh is to be joined by security officers from Easyjet, Ofgem and Santander in a panel to discuss Infosecurity Europe 2013 at Earls Court, London on 23–25 April.