Risk Analysis and Security Strategy

Risk Analysis and Security Strategy

What has risk management got to do with Cyber Security?

Okay in a conversation I was having last week about the new EU and UK data protection regulations and legislation, someone said to me; “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”?

Good question I thought… And could only come back to something I believe to be the core foundation stone for anything related to whatever sexy label you want to put on it –  The application of sound Information Risk Management (IRM) techniques are central to ensuring all aspects of keeping information safe, whether that be any one or a combination of vectors related to the people, process and technological aspect of collecting, using, communicating or storing information in any form.  Without this, you simply will never be as secure as you should be.

Oh yes, and I hear you say… there’s no such thing as 100% security. Whatever percentages you care to bandy about, the highest levels will only be achievable if you use IRM techniques to understand the risks you face and identify the most appropriate, affordable and accreditable secure solution.

Understand what value your information has to you.  Every bit of information your business holds falls into at least three categories, highly sensitive, confidential or public and as a result has a value that can have both positive or a negative financial impact on the business.  It is therefore important that you understand what the “value at risk” is to the business should you find that information has been compromised – stolen or no longer available to you.

There is always a direct and indirect value at risk.  Actual cost impacts and consequential or collateral cost impacts.  Understanding these costs informs your decisions on risk reduction controls, which may be “organisational” or “technological”. More importantly, this knowledge with make sure you don’t spend too much time, effort and cash on inappropriate “all singing and dancing” bits of technology, when simple people, process and procedural controls will be sufficient – and of course the opposite.

So, to answer the direct question, “what on earth do they [DPA 2018 & GDPR] mean when they say you have to take a Risk Based Approach to ensuring data protection”.  Simples… use a good information risk management technique, like the H2 methodology and you will have succeeded in meeting the requirements of the DPA 2018 and GDPR in terms of both Privacy by Design and Default and taking a Risk Based Approach to data protection.

We at H2 have a great deal of experience in helping companies understand that Value at Risk. We would be delighted to discuss our methods with you and even demonstrate how we conduct our IRM reviews.

Risk Analysis and Security Strategy

Does Risk Management Matter?

Risk management is all about helping us to create plans for the future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day to day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated, there are limits.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk, as if that were an easy and simple option.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined?  Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.

Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

Scroll to top