By: Marty Miracle
While other risk areas can make clearer cases to ERM for risk management $, InfoSec often fails to provide ERM the risk information they need to effectively evaluate risk in this space or compare it effectively with other areas of risk. What are some of the reasons and how can we as risk professionals help solve this problem?
1. Thinking we are different because of constant evolving threat landscape:
Just because new threats are "emerging every day" doesn't mean we shouldn't focus on understanding the infosec threats to our business today. Use the research available on attack sources, tools they may use, and how it applies to your company to help prepare for the probable and not remain paralyzed due to the unknowable.
2. We don't have data to support assertions about risk so we rely on best practice or FUD to make our case to ERM:
Read Douglas Hubbard's book "How to Measure Anything". You have more data than you need and don't need as much as you fear. Business leaders are used to having imperfect information and making decisions based on the best information available. Let's make sure we are getting them the best information available and not relying on "trust me I am a professional".
3. Believing we can't quantify risk so we produce pictures of risk that aren't clear or helpful to ERM:
Even if you don't believe risk can be boiled down to a $, you can evaluate infosec risk in terms of how often and how bad the negative event could/would/should be. Paint that picture for decision makers and you will be of greater use to them than screaming that the sky is falling.