Last week, I attended an all-day information security/IT risk management industry event in New York City. The organizer, a leading source of industry news and knowledge, did a great job selecting and attracting star speakers and arranging their appearances into two stellar program tracks: Management and Technical. I picked the Management track, as it offered a more strategic overview of the most important trends affecting the art and practice of IT risk and information security in organizations. From the opening keynote to the closing remarks, every session offered a great perspective on a hot area of IT risk and the many information security threats that the organizations face today.
After each presentation, I got an opportunity to ask questions and shake hands with some of the brightest minds in the infosec industry. There was one aspect of IT risk that none of the presenters mentioned during the event—at least not during the sessions that I attended. It is not in any way a fault of the event organizers, nor it is a weakness of the star speakers who took the stage. The omission is a testament to the current state of affairs and the predominant thinking in the infosec/IT risk profession today.
Faced with the numerous emerging threats and continuously evolving compliance requirements, the people responsible for overseeing the IT risk or, The Second Line of Deference, using the IIA’s excellent Three Lines of Defense Model, often forget that business risk is a two-sided concept. The latest editions of ISO 31000:2018 and COSO ERM Framework (2017) guidance underscore the dual nature of risk, which can lead to positive as well as negative outcomes. Taking the negative-only one-sided approach to risk management, where everything has the potential to harm and destroy, is both most expensive and not very granular. The lopsided treatment is similar to installing an ultrasonic bird repellent to protect against a particular type of “risk bird.” At the first glance, the noisy digital contraption might appear as the fastest, the cheapest, and the most effective way to address the problem. In the long-term, however, the annoying gadget will drive all birds away—good and bad—and may, as some studies suggest, be harmful to people too.
A different and much more business-savvy approach to an incoming source of risk is to start by asking: “What does this mean for our business?” An expert birdwatcher might wish to zoom in to better identify a passing bird, before deciding on whether to classify it as a common predator or a rare find. An OCEG webinar I attended today provides an excellent example of the more sensible business-value-driven approach. Dorian Cougias and Jason Mefford, the expert fun-to-listen-to presenters of the one-hour live event dedicated to GDPR, did a great job going beyond the hype and the countless “be very afraid” proclamations to help the audience learn more about and then precisely calibrate their response to the new GDPR compliance requirements without indiscriminately impacting their business. We need more industry events like this!