Ineffective risk analysis lowers information security
Even though there are multiple quantitative methods for managing IT risks, and thus improving security, these methods are often used inadequately. The IT industry has a lot to learn from the financial industry which has been using these methods more effectively for risk analysis
Thomas Roka-Aardal, Head of Information Security at Nagarro, has noted that there are largely two ways in which companies and organizations approach information security. The first is to demonstrate compliance, i.e. they adapt to existing certifications and rules. Compliance is something that can be shown to management.
The second is that they manage risks, i.e. conduct risk analyses to determine the appropriate level for investments in security.
“Existing investments in security are based to some extent on risk analysis in order to lower the risks, but we need to be more fact-based in our view as to how to manage IT risks. The IT industry is still quite immature when it comes to using scientific methods for risk analysis,” says Thomas Roka-Aardal.
Potential for change
He draws a comparison to how risk analyses are carried out, for example, in the financial sector. This sector has used scientifically based risk analyses for a long time, and risk analyses are presented with mathematical vigor. New methods are continuously being developed and used in day-to-day activities. Unfortunately, this is not the case in the IT industry, where there is a heavy reliance on colors and the well-known matrices. Thus, now, there is a big potential for change.
Today, more information is available, which can give security managers a new view on the management of risks and allow them to properly quantify risks in real money.
“At Nagarro, we want to help our customers by using modern methods to conduct more accurate risk analyses, thus identifying the correct level for investments in information security. This area is currently shrouded in considerable uncertainty. Some invest too little, while others might be investing too much, or in the wrong area in information security. There are naturally companies and organizations that already are successfully using the new methods today.”
Quantifying IT risks is key
These methods make it possible for companies and organizations to determine what cost they are prepared to incur for a certain IT risk and adjust their security investments accordingly.
The goal is for a company, through risk analysis, to be able to make the correct investments in security and know it has more control. An example could be quantifying the risk in case a competitor will hack into the business system and evaluate the damage against investments in security.
“Today, I can say that quantification of IT risks is becoming increasingly important. It is no longer possible to go to a board meeting without having concrete numbers. At Nagarro, we believe this means giving organizations the right tools and methods and implementing them in the business. We do this primarily through workshops where we teach our customers how to not only quantify cyber risk but also use, monitor and measure this risk in order to provide a basis for investment decisions in information security.”
On October 2, Thomas Roka-Aardal will be the keynote speaker at the Digital Business Strategy conference, http://managementevents.se/events/2738/digital-business-strategy/2019/sweden/
The topics he will touch on will include creating a data-based approach to measuring cyber risk, using proven methods instead of matrices to measure risk, and creating KPIs for security that do not hide information.