Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Information Security Risk: Make it simple

Written by  Simon Rhodes - Guest Editor Jul 11, 2019

It seems that most weeks, there is a mainstream news story about a major organisation whose failures in the cyber realm have translated to widespread real-world embarrassment.

Why you should be bolstering your cyber defence tools with security analytics

Security analytics is a double-edged sword. Despite needing resources, talent and experience, and being no substitute for human capabilities, it can provide your business with serious value.

Whether we’re talking about a data breach, an outage, a failed project or some other issue, it’s quickly becoming a normal part of the news cycle. We almost expect organisations to play fast and loose with their information security.

Such stories provide a rich vein of cautionary tales for those working in information security, many of whom just shake their heads in disbelief at each new disaster. There are plenty of good people out there to ask for advice, thousands of sources of good practice, and yet it seems that, for some reasons, these are ignored. It’s worth asking ourselves why that is.

It may be that organisations get tied up in the technology. They focus on the “stuff”; the “boxes”. They’re excited about the new shiny “solution” that hits the market and they forget the golden rule: security is a people problem and it cannot be solved by throwing money at it.

It might be that they don’t understand security. Convergence is bringing us to a place where there is no such thing as “cyber security” anymore – there is just “security”.

Cyber Security on a Budget 2
Also see:
Does your company spend enough on their cyber security budget?

The quality of our security is directly proportional to the quality of our thinking about security. Perhaps they simply think that “it won’t happen to us”. This demonstrates a failure to understand the risks they face.

We should not forget security management is actually a subset of risk management. This is where we should be starting if we want to understand our information security risks and communicate them better in our organisations.

Risk is an interesting subject, linked to psychology, sociology and mathematics. When we discuss cyber security risks, we are really discussing two things: how likely something bad is to happen and how much it is likely to hurt.

The “something bad” is usually linked to either the criticality of the information (in the form of availability) or its sensitivity (confidentiality and integrity).

The “hurt” we are discussing – usually for the organisation – materialises as lost productivity (meaning lost revenue), lost opportunity, regulatory and contractual issues and reputational harm.


Malwarebytes Home Premium - 1 PC, 2 Year (Email Delivery in 24 hours- No CD)
amazon uk

The problem: these are abstract concepts. They exist in a future that may not happen, that’s why some organisations don’t really understand risk. Instead it might help to look at information security risk management in a different way.

Let’s start with the idea that something can only happen if conditions allow it. Whether we are talking about life on other planets or a breach of our network, if conditions do not allow it, it won’t happen. So, from a very practical perspective, we are in the business of “condition management”.

If we leave the default username and passwords on our routers, for example, we are allowing a condition to exist that will lead to loss on a long enough timeline. We need to apply our resources (time, money and intellect) in such a way that we affect our conditions positively so that the bad stuff is either less likely or less impactful.

This then allows us a simpler way of communicating information security risks to our organisations. We should avoid being too technical in our communications with senior management.

Business Finance Apps
Also see:
Employees Want Smarter Office Security

Identifying risks

Nobody is interested in how many malformed packets we intercepted this month. They want to know what their risks are and whether we are implementing controls that reduce them to acceptable levels.

They want to know that we are not wasting resources. They want to know that they are compliant with relevant standards, legislation and contractual requirements. They want to know that we are managing the conditions that could lead to harm or loss for the organisation.

Information technology is an essential part of our daily lives, businesses and wider society. It makes sense to understand the risks it presents and learn how to communicate about them in rational, ways that drive engagement and support good corporate governance.

Fortunately, there are ways of learning how to do this. According to a number of industry websites, ISACA’s CRISC (certified in risk and information systems control) was one of the most desirable information security certification in 2017. It focusses entirely on the identification, assessment, measurement and treatment of information security risks.

Being “good” at IT is not enough. We need to be good at risk, and good at explaining it. Where organisations hit the headlines as a result of uncontrolled information security risks, there is an inevitable blame storm.

If the information security professionals (who are the most knowledgeable, most certified, most experienced people in the organisation on this subject) have failed to explain the risks in a way that senior management can understand and engage with, they need to accept their part in the problem and do something to make sure that it doesn’t happen again.

If you would like to be a guest contributor please contact us.

Did you find this article useful? Comment below or follow us on
Facebook, Twitter or LinkedIn.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.


Popular Cyber News

Mar 05, 2020 Cyber Security

Tesco and Boots Loyalty Card Schemes Affected by Security Issues

UK retailers Tesco and Boots are dealing with the after affects of cyber security issues that may have affected thousand...

Feb 13, 2020 Cyber Threats

Steps To Combat Insider Threats

Your organisation are generally well prepared for threats from outside the company. But are you ready to address threats...

Feb 08, 2020 Cyber Security

Millions of UK Businesses don't have a Cyber Insurance Policy

According to a survey conducted by Insurance firm Gallagher, millions of businesses operating in the UK don't have basic...

Feb 07, 2020 Cyber Threats

British Police Warn: Cleaners Are A Cyber Threat

British police have reportedly warned of a cyber threat posed by a not often thought about data stealer, namely the use ...

Feb 10, 2020 Cyber Security

The Cyber Security Fight Won't Stop

The controversy over the decision to allow Huawei technology to be used in the UK’s 5G networks is a very high-profile...

Feb 29, 2020 Cyber Security

Wi-Fi of More Than a Billion Devices Can Be Exposed

A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be e...

Feb 04, 2020 Cyber Security

NHS Employs Supplier Security Audits to Improve Cyber Security

NHS Shared Business Services and its cloud partner Virtualstock have enlisted cyber threat intelligence and risk assessm...

Feb 25, 2020 Cyber Security

The Top Cyber Security Companies in the UK

Investing in the right cyber security for your company is more important than ever, but which are the top UK cyber secur...

Feb 28, 2020 Cyber Threats

UK Prepares ‘National Cyber Force’ To Tackle Terrorists and Other Threats

The UK is preparing the official launch of a specialist cyber force that will target terror groups and hostile nation st...

Feb 28, 2020 Cyber Threats

DVLA Say Cyber Criminals are Targeting UK Motorists

The Driver and Vehicle Licensing Agency (DVLA) has warned that cyber criminals and scammers are targeting unsuspecting d...

Feb 19, 2020 Cyber Security

Cybersecurity Jobs Are Not Going To Be Filled

CISOs around the world expect a serious lack of global cybersecurity talent which will worsen in the next five years, ac...

May 22, 2020 Cyber Security

EasyJet will be sued over customer data breach

Legal firm PGMBM, a specialist in group legal action, has issued a class action claim under Article 82 of the General Da...

Mar 23, 2020 Cyber Security

Thousands of Netflix and Other Streamers Accounts are Being Stolen

With a massive surge in home use of video and music streaming services such as Amazon Prime Video, Apple Music, Netflix ...

Mar 27, 2020 Cyber Security

Hospitals worldwide offered free security software

As cyberattacks against hospitals surge during the coronavirus crisis, technology companies are stepping up to alleviate...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 05, 2020 Cyber Security

The importance of cybersecurity for UK businesses

Technology is constantly changing and at a pace which is hard to keep up with, but 'safety first' always applies. ...

Symantec Home 120x60