Communicating IRM to the Board
Once Upon a Time – the Information Risk Management Bed Time Story
Once upon a time a young boy asked his father for a bedtime story and wanted his favourite tale. Now the boy was a curious child, and it wasn’t ‘Who’s Afraid of the Big Bad Wolf” he was after, it was “How to implement effective risk management in a business environment”.
As well as being a good dad, the man was a consummate information security professional, so he happily launched into one of his own favourite stories. The boy was regaled with tales of wicked Threat Sources influencing poor Threat Actors to result in an impact that could only be countered by heroic knights wielding strong security controls. Within 30 seconds the child was fast asleep, smiling at how good this story was at making him nod off.
Zzzzzzzzzzz – are you still awake?
Regrettably the soporific effects of the IRM story are all too well known. As soon as we security people start to explain the obvious benefits of information risk management the eyes of our audience glaze over and the snoring starts. That’s tough! We know it makes sense and our argument is strong, yet getting it across to people and making it relevant is difficult. So, if you’re not sitting too comfortably, let me try again.
Can you tell the big bad wolf from the wicked queen?
Managing a modern business, private or public sector organisation requires the Board to know what the critical services to customers are and what mechanisms are needed to manage the risks (financial, regulatory, market, competitors etc) to deliver those services. Business risk management processes, supported by tools, are used to monitor risks and to support informed decisions on how best to take advantage of opportunities and avoid pitfalls.
Protecting your kingdom
Risks to information should be an intrinsic part of the business risk management process but are often left out of it. After all information risk is an IT ‘thing’ isn’t it, and something for the CFO and the security manager to deal with? In fact information risks are not a specifically IT matter since information exists in many forms; from company IPR data to staff personal details, to sensitive client information that you may have been trusted with. Information is crucial to delivering the business services and knowing what information is essential to what business process is the first step to understanding the problem.
Can you answer the following questions satisfactorily?
- Do you know what your organisation’s key information assets are for each critical business service and do you know what impact it would have if these assets were compromised in some way?
- Have you identified what the key threats to the information in these critical services are?
- Are you confident that your organisation’s most important information is being properly managed and is protected appropriately?
Knowing where to station your knights in shining armour
Information Risk Management (IRM) is the process of identifying, understanding and managing the risks to the information necessary to support the delivery of business services. The aim is to support managers in making informed decisions about risk, not stifling innovation with inappropriate and expensive security controls (no matter how heroic the knights wielding them are).
Working for the happy ever after
Tackling information risk needs strategic thinking and a broad view. IRM helps to identify the most important information assets and risks as a consequence of doing business. Measures to manage risks have to be proportionate and balanced to support business delivery. Effective IRM will:
- Identify what the real risk are to your information;
- Inform decision making about taking advantage of business opportunities;
- Give customers and partners confidence that their information is protected;
- Support critical business functions with a balanced level of protection;
A balanced IRM approach will help you to identify and manage the true risks to the information you hold AND deliver wider business benefits managing the risks to your own information. Looking at both will deliver cost efficiencies and strengthen your business – and you’ll be poised for a happy ever after.
So if you are having nightmares from the horror stories of unmanaged information risk here’s what you can do:
- Take our on-line risk assessment ( https://www.ascentor.co.uk/resources/online-information-risk-review/ )
- Read our Board’s Guide to Information Risk Management ( https://www.ascentor.co.uk/resources/the-boards-guide-to-information-risk/ )
- Or contact us if you need further expert advice and guidance.
NB: The department of Business Information and Skills has launched the Cyber voucher Scheme, open to SMEs and sole traders. Organisation’s can claim up to £5,000 towards IRM measures, but hurry as the scheme closes on 24th July 2013. ( https://vouchers.innovateuk.org/cyber-security ).
So that’s the information risk management story. Still awake? How did I do? I’d love to know.
Article by Steve Maddison , Director and Principal Consultant at Ascentor.
Other articles you might like:
For Further Information
If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.
Please use the contact details below - also found on our Contact Us page.