Security executives routinely have to make tough decisions about which risks to mitigate, which to avoid or transfer and which to accept. Your security budget has its limits. You have a finite amount of cash to spend on people and technologies to keep your business' risk to an acceptable level, so you have to make your decisions wisely.
Making these decisions and presenting them to company leadership requires a thorough understanding of the impact of the risk, knowledge of available safeguards and sometimes the guts to make a tough call. The goal of this article is to arm you with an approach to help guide you in these difficult risk decisions.
Measure the impact
If the way you measure risk is not aligned with the business, then the way you treat risks is likely not going to be either. If you still measure risks using the age old qualitative Low, Medium, High scale, then how do you know if risk decisions are aligned with business needs? How will you describe to senior executives or board members what the impact of these risks may have on the business and how will you make sense of the investments that are needed in security sufficient to convince them of the value in taking action? When asked by leadership what the ROI is for security, how will you answer?
To arm yourself with answers to these questions, you first have to properly measure the impact that a given risk has on your business. To understand the impact, you will need to know which assets will be affected by the risk (if it occurred), how extensively the assets will be affected and the cumulative business value of the impacted assets. When calculating business value, it is important to consider information assets as well as infrastructure assets. The value of your information assets may not be as obvious as with infrastructure assets. A recent Forrester Research report provides some clarity by stating that, "...the value of information is a percentage of the current and future revenue the information will produce, less the direct and indirect costs to produce, manage and protect it."
If a given risk occurs, the impact to your business then will be a combination of the cost of the exposure plus lost revenue while the asset is unavailable. The Ponemon Institute offers some useful guidance as to the cost of an exposure of personal data (e.g., personally identifiable information) on a per record basis. Leverage this guidance, but also calculate the revenue your business will lose if the impacted asset(s) become unavailable. When applying value to a risk, express that value in terms of money. In so doing, you will be able to compare both business value and risk value using the same measuring stick. This is the essence of risk monetization. Monetizing your risks in this manner will provide you with the ability to align your security program to business objectives. Businesses exist to make money, so putting your risk valuations into terms of money will help you measure them according to their impact on the business. Executives understand bottom lines much better than they do security risks. When explaining your reasoning for mitigating (or not) a given risk, they will be able to make more informed decisions since it is in a context they understand.
Sign up for CIO Asia eNewsletters.