Over the past week I’ve been looking at our existing processes for managing risk, how information security risk fits within this framework, and what improvements can be made overall.
One of my concerns is that most people aren’t used to explicitly thinking about risk and that my colleagues need to be able to relate to it as a concept. If the terminology with which we frame these ideas is unfamiliar then not only do we risk failing to make this part of the corporate culture but much of the work will fall back to specialists such as myself, potentially overwhelming me with work as the ISMS grows.
The focus so far has been on expressing the impact of a risk in terms that a wide variety of colleagues can get to grips with, but still remains as consistent and comparable between different risks as possible. Some in operational teams will be used to thinking about ideas of network and service downtime, our finance team of money, and our marketing and communications teams of the impact on our reputation. This hasn’t been all that difficult, despite working in different areas we do all work for the same organization towards a common goal and see the same picture of what good and bad days at the office might look like.
I think that the more difficult areas for most organizations are going to be at the extreme ends of the scale where events not only have an impact on the organization but on individuals. How do you fully factor in the personal impact and responsibility that results from a company director having to sign an ICO undertaking? The matter only gets more complicated if you consider areas where poor risk management can potentially lead to custodial sentences.
There’s no simple answer to this. The context, legal environment, and attitude to risk that your organization and top management operate within are ultimately where you need to look for guidance on how you incorporate these ideas into your processes.