Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Uncategorized

Talking about information security impacts

Over the past week I’ve been looking at our existing processes for managing risk, how information security risk fits within this framework, and what improvements can be made overall.

One of my concerns is that most people aren’t used to explicitly thinking about risk and that my colleagues need to be able to relate to it as a concept. If the terminology with which we frame these ideas is unfamiliar then not only do we risk failing to make this part of the corporate culture but much of the work will fall back to specialists such as myself, potentially overwhelming me with work as the ISMS grows.

The focus so far has been on expressing the impact of a risk in terms that a wide variety of colleagues can get to grips with, but still remains as consistent and comparable between different risks as possible. Some in operational teams will be used to thinking about ideas of network and service downtime, our finance team of money, and our marketing and communications teams of the impact on our reputation.  This hasn’t been all that difficult, despite working in different areas we do all work for the same organization towards a common goal and see the same picture of what good and bad days at the office might look like.

I think that the more difficult areas for most organizations are going to be at the extreme ends of the scale where events not only have an impact on the organization but on individuals. How do you fully factor in the personal impact and responsibility that results from a company director having to sign an ICO undertaking? The matter only gets more complicated if you consider areas where poor risk management can potentially lead to custodial sentences.

There’s no simple answer to this. The context, legal environment, and attitude to risk that your organization and top management operate within are ultimately where you need to look for guidance on how you incorporate these ideas into your processes.

Leave a Reply

Your email address will not be published. Required fields are marked *