Vicki Gavin, head of business continuity and information security of The Economist Group, Paul Haywood, chief technology risk officer of Capital International at GE , and Thom Langford, director of security risk management in Sapient's Global Security Office, discussed effective risk assessment during a keynote panel at Infosecurity Europe, and paid particular attention to educating C-suite and third-parties.
Gavin said that a key in all of these discussions is that security and risk assessment teams learn what the business considers as a risk, and then communicates this accordingly to the top-line board members.
“If I have to give everyone one risk assessment tip, it would be to learn to speak the language of business. You need to know what business considers as risk,” said Gavin.
If you do this, and spoke to senior folks, you'd more likely get the funding and resources required, he added, although Langford was keen to point out that this was only possible if risks were translated into ‘plain English'.
Haywood agreed, adding that it's important to prioritise risks and communicate in a ‘way that business understands', with this message needing to revolve around the impact on reputation, customers and revenue streams if a breach does occur.
He further suggested listing the top ten risks against a company, so that both IT staff and senior executives can understand the threats and mitigate against them.
However, the panel concurred that the issue is somewhat muddied regarding third-parties, with many contractors in the supply chain unaware of the risks and more susceptible to losing data.
This is particularly problematic in the cloud, says Langford, with many firms looking to lessen the load on their own resources, and staff, by adopting solutions like Amazon's AWS.
Urging a blended approach, Langford said of the cloud: “You don't even know where the data is half the time, it could be replicated somewhere else.”
“The cloud is a nice fluffy term but it just means someone else's computer...you put in those terms and understand the risks.”
This was particularly true of the Target data breach - affecting some 120 million customers (and 40 million credit cards), where hackers were able to gain data by the retailer's point-of-sale systems by stealing network credentials from Fazio Mechanical Services, a Pennsylvania-based provider of refrigeration and HVAC systems.
Citing this as an example, the panel said that companies need to manage contractors, implement service-level agreements (SLAs), and continually assess their security credibility by doing onsite visits and distributing questionnaires. Checking their incident response should be mandatory as well, Gavin said.
The Economist carries out similar assessments with third-party partners. Gavin said that the publisher will often do ‘joint exercising' on IT security risks to help them understand what's required and “where the gaps are” in defence.
Nonetheless, technology only goes so far, and Gavin believes that having ‘meaningful' discussions with third parties should at least minimise the damage should a data breach occur.
“At the end of the day, no matter how good your controls are, data breaches happen,” she said. “Its about relationship management, getting to speak to them, there's nothing more important than that.”
“Until they become our overlords, I truly believe that people run computers.”