Using Risk as part of your strategy

  • February 22, 2019

How can Information Security professionals embed the process of risk treatment into daily practices and ensure others in the business see the need for Risk Analysis?


Risk is every Information Security professional’s friend. A properly executed and documented Risk Assessment provides the basis for your company’s Information security framework, its continuous improvement and all your projects where Data Protection is key. Risk Assessments, (from all areas of the business where security and Data are vulnerable), should feed your Risk Treatment Plan (RTR) and you should be reviewing your RTR at least once per month. Whether you are a ‘standalone’ manager or have a security team, the process of risk treatment must be embedded into your daily practices and you must strive to embed the need for Risk Analysis into the very being of your project managers. This is easier said than done of course.

What Project teams and Board-level Execs don’t like, is being told that they cannot do something because of the Risk. I’ve lost count of the number of whisperings I’ve overhead along the lines of “Don’t tell Security because they’ll just say No!” If you hear this then panic because something bad may be about to happen!

My approach is always to say “Yes, of course you can use a free, unencrypted, on-line mail transfer system to send confidential information to a third party with whom we have no contract or NDA in place” And just as the Project Lead skips away with a happy smile I call them back with a “But let me carry out a Risk Assessment so we can see if the data being transferred is vulnerable to theft and what the impact on the business might be if that happened?” It always works. You haven’t said “No, absolutely not” and although the Project lead may eye you with hesitant suspicion they can see you may have a point.

Once you have clearly shown that sending Confidential Data using an unencrypted third-party application sitting on a server in the Ukraine comes with a very high probability of data theft, then hopefully the Project Lead will ask your advice on a more secure solution. The golden rule here is never accept responsibility for the data. Despite the bleatings of “But you said it was okay”, your response must be to explain that you are not the Data Owner. You are there to advise what is secure and what is not. Should the Data Owner agree to use a free and insecure system then that is fine. You have calculated the risk, advised of the impact and duly noted this in your Risk Management documentation.

Of course the Exec won’t know any of this until the brown stuff hits the fan and the first blood they’ll be calling for is yours. They are rarely interested in Risk Calculation, probability, threat and impact. They are interested in making a profit and Security is a drain on profit because the Exec can see no ‘Return On Investment’. So what you must do is to take your Risk Calculation and convert that into something the Exec will understand. Profit and Loss.

This, for many Information Security Professionals, will not be an easy task. This is where identifying Key Stakeholders when you first joined the company comes into play. Engage with the Finance Manager, Head of IT, CIO, CISO etc; whomever you need to help you calculate the real cost of a data breach or DDoS attack or whatever the identified project vulnerabilities are. Telling the Execs that there is a high risk of data loss will drift over their heads like a ‘Wil-o-the-wisp’ but tell them that a data breach could cost upwards of £2000 per data subject in non-material claims plus a fine of 4% GDP from the ICO, loss of Reputation and loss of business will normally make them sit up and take notice. You then show them that by investing a small amount in, for example, a  secure data transfer system then they will be leading the way, securing customer’s data, improving their market standing and increasing revenue stream.

Written by Andrew Denley

With more than thirty years’ experience in technology, Andrew has worked in a variety of industries including Maritime, Research & Development, Central Government, Business and Consultancy. Trained as a Maritime Electronics and Radio engineer he has diversified as Information Technology has advanced and has spent the last ten years specialising in Information Security and Data Protection. He is a qualified Risk Practitioner, GDPR Practitioner and ISO27001 Lead Auditor and has considerable experience in CLAS-related Security, Cyber-Essentials and NIST Information Security. He has co-written a technical guide to GDPR aimed at the non-European market which is due to be published in late 2018.

Andrew has co-written the recently published GDPR: How To Achieve and Maintain Compliance.

Find Andrew on LinkedIn.



£ k