A lot has been shared, spoken of or published about Information Risk and Cyber Security. It boils down to Business impacts, what our business suffers or may suffer from those ...
A lot has been shared, spoken of or published in market about Information Risk and Cyber Security. It boils down to the subconscious mind of Business impacts.
A lot has been shared, spoken of or published about Information Risk and Cyber Security. It boils down to Business impacts, what our business suffers or may suffer from those threats before a meaningful conversation can begin.
As a risk management practitioner, Threats & Vulnerabilities are being taught and used as the fundamentals to approach various risk context within our business or organizations, or even used as yard stick to quantify or qualify the probability of exposure. Vulnerabilities may mean nothing, nor being any issue or concern until a known threat exploits it for a non-compliant or illegal purpose, and when carried further Business impact will be the bottom line. Business impact may be what’s needed to be articulated along with a meaningful story that invites business to elaborate themselves. The corresponding measures will then be what business would like to give priority to of their investment.
Typical examples of “risk and business impact” commonly cited; and anyone can elaborate better than I do.
• Business Interruption
• Data Loss/Breach
• Identity theft
• Cyber Extortion and many more…
They are linked one way or another. Start with a simple context to help business think along the line. Business may elaborate with different possibilities and scenario, and they may even take them further to realize more themselves, given their bulk of knowledge and experience.
When company faces attack vectors, internal or external, technical or non-technical, business operation gets interrupted; order fulfillment becomes delayed, customers become upset or the obligation to their end-customers become impacted. Concurrently, Data may be lost to someone's hand who uses it for various reason or purpose that may be detrimental to business, organization, customers or employee at various level of negative effect and influence. And that it leads on to data breaches, which can mean reputation or credibility at stake, potential law-suit or severe penalty from regulatory governing bodies. The loss may be larger than what's outlined here. Data Leak may go beyond the eco-system. One will feel the strongest negative impact when their identity becomes compromised. Classified information related to stolen identity, especially personal record (PII), financial or medical record (PHI) may bring the business to its knees if they belong to their customers or vendor, or someone of significance.
Having known of all the above, what does it mean to the business? Will that make them worried, anxious and become more conscious of the potential threats they may be put to challenged? We can expect different expression and responses, but what cannot be denied is their subconscious "conscience" of the possibilities or the scenario of those that they may run into, as an employee or personally. Those may then be again challenged with multiple external factors that cross their conscious mind and lead them to ask themselves questions such as; “Am I the only potential victim? who is responsible for a larger cause if it happens to us? If others are not worried, any reason I should be? Is this really happening here? There are other priorities that I need to balance with my budget, I am not worried at this moment until it starts to happen, I may not be the target to get hit. How possible that it will happen to us? …“
As a practitioner, we preach to our organizations that we should have - continuous training, risk awareness communication, attitude of always preventing such from happening, if otherwise the ability to detect or pre-empt the situation that it will allow us manage the impact. When that's being shared, and communicated long enough within the company or organization, it will gain some traction. Nevertheless, how much traction gained with the effort and time spent?
Putting the mind of a practitioner into perspective, it's always beneficial to be mindful, think of finding the thin line or Touchpoint to balance between articulation of "risk and threats, or even vulnerability" and that of other business or personal priority. After all that we have preached, it only takes a mindful approach to find that Touchpoints, that connect the dots of the entire story with a flavor of “governance, risk and control”.
Note: The above is in pertinent to advisory and consulting practices of iTGRC Asia