What security means for you – You Choose!

Some people don’t like risk assessments in security. I don’t blame them, I used to dislike them too. Why? Well, complaints I’ve heard from different people include:

• All too often, organisations would use them to justify what they were already doing anyway,

• They seemed to assume complete information of the risk landscape (which no one had).

• Security risk assessments would largely forget what the business was trying to achieve.

However, risk assessments do have a really important role most people forget: they define what security is for an organisation.

What does security mean to you?

What? Surely security is the same thing for everyone? It’s a thing, right?

I actually don’t think so. Most organisations I have worked with define 'security' in different ways. Here are some examples:

The compliance organisation

To some, security is simply being compliant with whatever requirement they need to be compliant with. So, if a regulator, or an investor, or a customer, says ‘you must have this certification to do business’, then that’s what security means to the organisation. Security professionals will balk at this approach, and organisations will use all sorts of lovely words to deny it, but in many cases, particularly with small organisations, this is their primary driver.

For these organisations, the alternative would be not doing business and changing the risk of losing money to a certainty. To them, avoiding breaches and suchlike are important, but not as important as doing business. So, they open themselves to criticism from professionals by focusing on what they must do to do business. They have defined ‘acceptable security’ as ‘being compliant’.

The well-intended organisation

To the well-intended, security involves the constant cut and thrust of doing something – checking it is still effective – improving it, with an aim of avoiding (or minimising) issues entirely.

There’s always a new threat, a new technique or a new tool that is a must-have. The threat landscape is ever-changing, as we know. Compliance with requirements is often a side benefit, a temporary distraction from actually keeping data secure.

But this approach can tend to ever-increasing effort and expenditure, and seems to reach a limit, beyond which there’s no money, time, or appetite to fix the next big thing. They have reached a natural appetite for risk, beyond which they can’t manage it.

The visionaries and the fatalists

There are some organisations – not very many – who either ignore the problem (‘it won’t happen to me’) or who think they are immune to the problem (‘our proprietary algorithm means we are un-hackable’ etc.).

Compliance tends not to be important to these organisations, but the approach rests on an implicit acceptance there will be many breaches, even though this likelihood is rarely acknowledged.

How to determine what type of organisation you are.

As an organisation, how do you decide what’s important to you? How do you decide priorities, and how far do you need to go? How do you decide how many incidents is acceptable to you? Well, that’s your risk assessment. You use it to define what security means to you as an organisation. Only once you’ve done that can you really consider the measures, controls, and technologies you need to achieve that definition.

Sorry if this is obvious to you. Everyone says it’s obvious, but very few people actually do it. If you want to make a start at this, try the following steps:

1. What does security mean for you? Write why you need security on a piece of paper in plain English.

2. Next to each point, list why each is important. Could it stop your business entirely? Or cause a temporary halt to trading? Or open you to possible fines (check the level of actual fines for similar organisations– specific is best)? Or just be embarrassing to you? Or just because everyone else is doing it?

3. List how often each item in the list has gone wrong in the last 1,3 and 5 years.

4. List how often you’d accept each going wrong in the next 1,3,5 years.

5. Read the points above again and be honest. Really honest. This is your organisation, and you set the tone, whatever it is.

And that’s a fair proxy for a useful security risk assessment. From that, you can start to build the rules you need to stop the bad things happening, and you have something to monitor to. You’ve acknowledged things will go wrong, even if you don’t want them to. And you have something tangible and meaningful for your organisation to monitor and report against that (hopefully) doesn’t mention specific technologies or threats.

Essentially, you’ll have defined ‘security’ for your organisation.

Pebl1 offers useful tools to help you complete your information and cyber security risk assessment at a fraction of the cost of a human specialist. Please get in touch if you’d like to hear more.