Assessing Risk in Turbulent Times
This workshop was designed for peer-to-peer dialog—thought-provoking roundtable discussions involving a select group of senior information security executives and a few top academics. The focus of this workshop was risk assessment—particularly understanding the evolving risks we all face from the downturn. Deepening cost pressures and organizational transition have opened new risks and made everyone’s job more challenging. With downsizing comes process disruption and organizational gaps. Business partners, squeezed by the same forces, are themselves growing risks. We will explore how firms are assessing these risks and how they can be better managed.
Key topics covered by this group of professionals includes:
- The downturn has led to what many see as the perfect storm for information security professionals. From employee downsizing and stretched budgets to the consumerization of
- technology and rising professional threats, CISOs are asked to do more with less.
- Security tools have matured with a steady string of new offerings to address arising risks. However, the unending stream of new tools can be a distraction from what is, in fact, a human problem.
- Crown jewel designation can be a helpful way to classify crucial information. However, it is important to strictly limit such high priority categories or everything, and thus nothing, is a crown jewel.
- Executive attention on security is a silver lining of the downturn. As times got tough, boards focused on risk, and information risk bubbled up to the top.
- Vendor surveys are OK, but thoughtful questions are far more powerful. While many good assessment surveys are available, CISOs still find that probing questions lead to a dialog that gets to the root of security issues.
- Third-party risk assessments can be helpful for initial vendor screenings. But few firms see external assessments replacing internally driven due diligence.
- There is growing interest in industry-driven assessment methodologies. But as with third-party assessments, one size doesn’t fit all.
- With new threats appearing at a dizzying pace, developing businesses processes that can operate in an insecure world is the key to risk reduction. Since anything connected to the internet is vulnerable, simply increasing security is a losing game.