Security and risk are often mentioned in the same breath, and while they can complement each other, taking a risk-based approach is essential to building a realistic and manageable IT security program that can scale from small to large organizations, Rick Doten, chief, cyber and information security, Crumpton Group, said at SC Congress Toronto 2016 Thursday.
“Security is an emotion and risk is a calculation” of the likelihood that a threat will have an impact, Doten said, noting that it's easy to get caught up in all the potential threats to security rather than focus on protecting the assets and operations important to an organization. “We confuse the two.”
Executive input is key to assessing risk and establishing proper security controls. “Executives have to tell [IT security] what's important to the business,” he said. “They have to know what to protect” and prioritize it.
Top management also has to determine clarify a business's risk appetite, or acceptable level of risk.
Data classification is also critical. “If I'm a shepherd and I don't know how many sheep I have or if they're sheep, I can't do my job,” said Doten.
A growing number of businesses are figuring cyber insurance into their calculations. “Fifteen years ago, they thought of it as homeowner's insurance” that they probably wouldn't need, he explained. “Now they realize it's more like health insurance – you're going to need it.”
He noted that 70 percent of insurance goes to covering forensics costs after a breach.
Doten stressed that risk management is not synonymous with risk avoidance, the latter of which is impossible. He also said it's not easy, noting that some organizations are like consumers who want a six-pack of abs, but instead of working out, they buy an ab roller for $16.99 that promises to get them in shape quickly and with little effort.