Feeling like a hostage of security
The head of a famous fashion retailer called me the other day and started complaining about the fact that his information security organization was stifling the progress of their business. "In our industry, time-to-market is very important. New fashion lines have to hit the market at the time when shoppers are looking for new apparel." He continued: "The information security team is blocking the launch of our new e-retail application on the basis that it is not secure enough."
The tension in his voice was palpable. He recognized the need for the organization to be protected, but felt that decisions were being made based on erroneous risk assumptions.
"They are grossly overstating risk and that is leading our organization to make decisions that are always aligned to the worst possible case. They are not dealing with real-world assumptions and that is hurting our business."
He then explained how risk estimates in his company are calculated based on the worst possible outcome. Their implied risk formula is (max. impact of loss event) x (100%). No consideration is given to the actual probability of a loss event on an annual basis. The effect of that is that decisions in his organization are being made based on estimates of risk that greatly exceed reality.
"We are probably vastly overspending in security and slowing the pace of business."
Finding the right risk balance
"We are looking for ways to balance the need to protect our organization with running our business. We feel that if we had the means to quantify the actual cybersecurity risk in a more realistic way, using probability of outcomes and getting to dollar figures we believe in, that would allow us to make more informed and cost-effective decisions."
I replied that our profession had experienced rapid advances in the last couple years. The emergence of standard risk models, such as FAIR, that take into account all the factors of risk, along with the use of proven mathematical simulations contained in solutions such as RiskLens, have been helping organizations to quantify risk as a distribution of probabilities that represent the entire spectrum of possible outcomes (see example below).
With that data at hand, companies can now decide if they want to make business decisions based on most likely outcomes or if they want to take a more conservative, risk-averse approach by basing their decisions on a higher percentile.
Security and compliance shouldn't feel that the business is disregarding their security recommendations, and the business shouldn't feel that security is holding them hostage. Instead, the business opportunity seized by the business along with the level of risk that the organization is willing to sign off on, should be the result of explicit and well-informed business decisions.
Consequences on risk governance
We continued discussing the impact that such an improved decision-making process can have from a governance perspective.
We ended up agreeing that:
- The business can no longer delegate risk decisions to IT. The business needs to own the decision of how much risk is acceptable in context of the business opportunity and the costs involved.
- Risk and security professionals can no longer act as mere defenders of the organization. They cannot be the arbiters of what is good and what is bad. They must learn to speak about risk in the financial language that the business can understand and become facilitators of the balance between protecting the organization and running the business.