(Don’t Ever) Tell Me the Odds

by Hank Berkley
Contributing editor

Don’t Ever Tell Me the Odds

If you have ever gambled at a Casino, you know it’s all about a game of Chance and Risk. Before placing a bet, the first thing you might consider, is understanding your chances of winning. To do this, you might consider the actual probability of winning or losing, then the amount you will bet, and ultimately, the amount you can afford to lose. You might also consider not even placing a bet but finding another venue or game where there might be better odds of winning – or perhaps you would be better off not playing at all.

All of these considerations are the same considerations you might use for your company Risk Register, which we wrote about in our last blog article (http://38.106.74.101/the-first-thing-you-have-to-know-is-yourself/) The Risk Register is essentially a list of potential risks and serves as a guide to the chances you are taking. For each risk you face, you should:

1. Estimate the probability of success or failure
2. Identify maximum potential costs to your business if you fail
3. And, identify what you have done already to improve your odds.

Key to being successful in building a Risk Register is gathering multiple perspectives:  financial, investor, marketing, operational and technical. It is important to bring the right people with the right skills to the table.

1. Financial people who understand your business from a macro to micro level and can approximate the impact of an incident
2. Operations people help you understand procedures already in-place to reduce risk, and
3. Information Security people have a view of potential risks and your possible exposure to them

The Risk Register can also help guide you to where your security dollars can best be spent. But, before adopting the Register as a model for new spending, it should be considered as a place to review current security spending. For example, it is possible that you could be spending more to protect an item than its value. Therefore, it is important to understand the significance of what is being protected, and to recognize if each additional dollar spent on cyber security produces a smaller or larger marginal benefit. These factors are what changes the Risk Register from a technical undertaking to a business endeavor.

Cyber security spending should be adjusted based on broad goals, weighting the spend amounts to protect your most critical assets. Critical assets will vary between companies; will depend on your company’s maturity; and will be different based on perspective. For example, your information security team may have a list of what they consider to be critical assets, but it may not correspond with what business end of the company determine to be most relevant.

Understanding your organization’s critical assets, your security environment, your technical infrastructure, the potential cyber tools available to you, (not to mention the state of the cyber world) is not a small exercise to be undertaken in someone’s spare time. But it is imperative to quantity to ensure the financial safety of your business. Huge sums of money are at stake – potentially even the survival of the organization.