With security threats evolving at a faster pace than ever before, organisations need to have a systematic approach to understanding risk. Risk management and budgeting success is enabled when critical decisions are made using relevant facts and data by the right stakeholders. We therefore need the right data and the right people involved to ensure that we:
- Objectively develop prioritised and actionable plans that improve security and manage risk;
- Understand costs and benefits; and
- Articulate and defend the criticality of security and risk projects
To help a board understand the risk, threats and costs, it is important that we get the balance right by putting security and threats into context. The conversation is no longer about: "We need a firewall". We need to translate the bits and bytes into a conversation about risk and cost to help senior leaders truly understand the threats and needed mitigation factors.
The best security comes from the right people with the right information making the right decisions. In order to truly improve security, we must first consider a few key things:
- What are you protecting?
- What is it worth to you?
- What are you protecting against?
- What are the consequences if you fail?
So, for example, if I simply tell a CIO that his company's has 20 vulnerabilities, how can a decision be made on what to fix first? If, however, I explain the risk and the cost to mitigate, then an informed decision can be taken. If I also say the risk of the vulnerabilities is quite low and mitigating factors or control frameworks can be put in place, it changes the decision.
Understand that if you create a control framework that you can measure against and can then go to management and say this is what we're aiming for and this is how we'll get there.
Above all, we need to impress on board members that the state of the world's information favours the hacker now more than ever. Digital information - already portable, mobile and ready to be stolen - accounts for over 94 percent of the world's recorded information. Hackers also have major cost and technological advantages - for example, needing only a day and a US$200 graphics card to crack any eight-character password.
Given that, the security mindset has to move well beyond bolting on solutions to address a particular problem or threat at a time. The best way to defend against security threats is to be focused, systematic and proactive - with informed buy-in from the highest levels of the organisation.
Philip Kwa is vice president of ASEAN, Integralis.
 Source: University of Southern California Annenberg School for Communication and Journalism
Sign up for CIO Asia eNewsletters.