There are potentially three approaches to risk. You can try to avoid risk entirely, try to reduce it, or find a way to manage it. But for most organisations, it is not a case of choosing one over the other. Risk is an all-encompassing issue, speaking to your ambitions, operations, service delivery and users and, for those businesses in heavily regulated sectors, it very much speaks to governance and compliance.
When it comes to relating risk and information security there is one certainty – that the traditional model of putting everything behind a firewall and hoping for the best – has been blown out of the water. The move to distributed working and the rapid adoption of cloud and SaaS solutions to support remote workers has turned even the smallest business into a technology-rich organisation. It has also shown how important it is to embed information security into every aspect of your strategy and not just treat it as a “nice to have”.
The search for quick solutions in a state of crisis has led to the usual level of review and evaluation being thrown out the window. The pace of change and the additional skills required is a huge problem for many organisations whose IT teams are under more pressure than ever before, delivering new technologies while managing and monitoring devices, infrastructure and networks. Some businesses that don’t have the skills in-house may have had to outsource – something they would have not considered in other circumstances.
Everyone wants integrated, user-friendly technologies that provide a great user experience but how do you balance that with the need to protect data, control access and secure systems in the face of growing cyber-threats?
Now is the time to work out what these technology shifts present in terms of risk. What risk can you afford to take, where can risk be shared and what risk would you not survive? By auditing your environment and highlighting the biggest and most likely security threats, you can take action to address them.
We often say that information security requires a multi-layered approach. In that respect, it’s a bit like peeling an onion. Slice it the wrong way and you’ll be crying as you see those layers come apart and expose your vulnerabilities. Slice it the right way and you’ll be smiling, knowing you have a solid approach throughout your organisation.
By understanding your security risk, reviewing operational responsibilities and educating your people, you can look to the future with greater certainty.
Nick Martin will be part of the panel for the teissTalk What is the goal of your information security program: risk reduction or risk management? on Tuesday 2 March 2021 at 16:00 GMT.
by Nick Martin, consulting director, iomart