Risk Management and Information Security
We generally all agree that data/information is more valuable than ever; and also that the information risk landscape is more dangerous than ever given robust external threats, changing corporate business models, and the motivated insider. Yet one of the real frustrations of being in corporate information security is the reality of being perceived as a blocker and naysayer much of the time. What do we have to do to change this around and be seen as enablers of the enterprise, without which there would perhaps not be the necessary trust on the part of customers and value-chain partners to do business? Is this even possible? If so, should it be a goal or is it indeed better that information security be seen as a gatekeeper, a necessary obstacle to overcome, an ensurer of the integrity of the enterprise?
At the same time, there is a growing practice and culture of risk management in large global companies. Today’s enterprise must be fundamentally adept at managing risk of all types—operational and strategic, financial and reputational, predictable and not—while still creating value. Leaders must be adept at assessing risks in the pursuit of value, balancing risk and reward where appropriate, prioritizing which risks to mitigate and which not.
Perhaps these issues are linked—and the practice of risk management and tradeoffs needs to be fully incorporated into corporate information security practice—both in approach inside the info sec (and IT) organization and as an integral part of overall corporate risk management. In this workshop, participants explored how these should be linked, what this means in practice, and how this could be the key to building the information risk and resilience culture we want. The types of questions we sought to answer were:
- Should we try to change this around to be seen as business enablers, without whom there would perhaps not be the necessary trust on the part of customers and value-chain partners to do business? Is this even possible? Is it the right goal? If so, how?
- How do these clearly related pieces (risk and security) fit together—and what is the difference?
- How does information security fit into the enterprise risk management picture at present? What should it look like?
- What is the role of risk management within good information security and IT?
- Is data classification of key data part of risk management? Or of all data?
- How do you build the right approach to information risk management and how do you inculcate this in both the information security organization, IT, and the enterprise?
- What does it mean for human behavior and culture, as well as for organizational structure and governance?
- What are the best practices in corporations today around these topics?
- Is building true resilience into the culture of an organization perhaps the key, and how do you do that?
- To what degree must the board be engaged in this? How does senior management educate both up and down on these issues?
Derek O’Halloran was the our guest speaker at this workshop.
Scott Bancroft, Group CISO at Novartis, presents on information risk management.
(left to right) Valentin Simic, Director of Information Security, Swarovski; Scott Bancroft, Group CISO, Novartis; Josef Nelissen, CISO, ABB; Kah-Kin Ho, Head of Strategic Security, Corporate Technology Group, Cisco.
Prof. Dr. Boris Otto of Fraunhofer presents the results of breakout session #3 on data classification. To his left is Georg Huenermann, Head of IT Governance at Clariant and to his right sits John Holland, CISO at Credit Suisse.
Georg Huenermann presents the results of a breakout session on access management as Reinhard Jung and John Holland look on.