Know Your Risk
/There's one question that I am asked above all others. "My Board is asking me to provide an assessment of our security risk. We don't know how much we should be investing in information security, but there's a feeling we're not putting enough focus on this today. Where do I start?".
Aligning security needs with business strategy is a mind-blowing exercise for many leaders. No wonder, given the amount of press, technobabble and confusion that surrounds the topic. The good news is, there's an easy way to get started.
I've taken friends and clients through a few simple questions and, in about the time take it takes to meet over coffee, we always come up with the right next steps. Literally on a napkin. But first things first ...
Security is not a technology matter. It's a business decision.
To be perfectly clear, security is not simply a project, a skill set you need on your IT team, or a set of technologies to protect you against viruses and other intrusions. It's a series of investment decisions within your business strategy that drive ongoing activities. As you've heard me say in all other cases, technology choices follow business strategy, not the other way around.
CEO surveys consistently cite cybersecurity amongst the top 5 business challenges. But if your team masters the topic, your risk will be dramatically reduced, you can present maturity to your customers ( some of whom may not buy without appropriate assurances), and it will become normal course of business.
If you overlook the topic, assume IT "has it covered", and just cross fingers and toes, you are likely to expose your business to undue risk.
Security Risk Assessment on a Napkin
To cut through the fog of technology, standards, certifications and compliance regimes that you encounter when you research security strategy, these five simple questions will give you an idea of whether or not security should be a focus for your business:
How many customer records do you store in your systems? Do these records include customer addresses, SINs and other details subject to privacy? If this number is in the tens of thousands or more, dig deeper.
Have competitors and peers in your industry disclosed breaches over the last two years? Is your industry a target for hackers?
What commercial IP does your business own? If this showed up on Wikileaks tomorrow, would your business survive with ease, crash and burn, or be somewhere in between?
How many credit card transactions will your business handle this year? If the number is in the tens of thousands or higher, you are likely PCI compliant. If you are not, spend some time understanding PCI. ( Beware though - PCI compliance does not mean that your security is covered. It's a necessary step, but not sufficient.)
Have breaches, viruses, or ransomware impacted your business over the last year?
Trusting Technology is a book about forming ideas, exploring opportunities with customers and colleagues, and building your future together. Order you copy here . This article is also available in hardcopy as part of my 10-minute Reflections series of exercises—order volume 1 here and volume 2 here.