Balancing budget with information security risks a game of risky decision-making

I recently played the Targeted Attacks game, which was developed to simulate a corporate scenario. In the game, the CIO is required to make critical decisions during various stages of the launch of a new software application.  At each stage, the CIO turns to the viewer and presents them with three different options.  Based on the decision taken, the game continues, each time presenting a new set of challenges that can result in either saving the company from a disaster, or a massive data breach.

As mildly entertaining as it may seem (including the CIO’s flashy lifestyle and pained facial expressions when confronted with a tough choice), the game highlights the dangerous ‘game’ of risk-taking that thousands of CIOs wilfully or unwittingly play each day.

As Rik Ferguson from Trend Micro urges, “it is crucial to understand that it is no longer a question of ‘if,’ but ‘when’ a cyberattack will occur” – it is clear that companies simply are no longer secure.

Information security experts advise that cyber security should be viewed as a programme – an ongoing part of the business that demands leadership and commitment – and not a one-time project.

The problem with information security is that most organisations are forced to balance the potential risks against their available budget.  This approach often becomes a dangerous game, with the company precariously balancing on the edge of a data breach catastrophe.

The lack of appropriate budget is a common theme.  Information security spending is not keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks. In fact, investment in information security budgets declined 4% over 2013, according to the 2015 Global State of Information Security Survey. This is even more pronounced when it comes to smaller organisations, which is no surprise.

In addition to having appropriately qualified leadership and sufficient budget, the risk assessment is one of the key elements of any successful cyber security programme.

Successful organisations are those that develop sound practices and then maintain constant vigilance using a risk management mindset.

That’s why the risk assessment process is at the heart of an ISO 27001 implementation, but many newcomers to the world of information security struggle with this essential element of the process.

There are many guidelines to follow when embarking on a risk assessment.  An article we published gives a short overview of how to conduct a risk assessment based on ISO 27001:2013.

vsRisk, the simple, easy-to-use information security software, provides direct benefits for anyone undertaking an information security risk assessment.

By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and money that would otherwise have been spent on consultancy fees.

vsRisk 2.5, launched in April 2015, offers new and improved features, including a sample risk assessment database, demonstrating how the risk assessment associates risks, assets and controls.

A series of videos on the Vigilant Software website take the user step-by-step through the risk assessment process.

vsRisk enables the user to repeat the risk assessment in a standard format year after year.  The tool generates a set of reports that can be exported and edited, presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities, as well as seven different control sets that can be applied to treat the risks.

Leave a Reply

Your email address will not be published. Required fields are marked *