“The first thing you have to know is yourself”

by Hank Berkley
Contributing editor

“The first thing you have to know is yourself.” – Adam Smith, The Money Game

While Sun Tzu is attributed for saying “know thyself, know they enemy. A thousand battles, a thousand victories”, it was Adam Smith, oft referred to as “The Father of Economics,” whom highlighted the most important virtue of ‘Knowing Yourself’ in his book “The Money Game.”

In the case of cyber risks, it is no different, and at Partners in Performance, America (PIPA), we believe in the importance of ‘Knowing Yourself’ by identifying those risks within your business and your network. This is not the same as looking for your vulnerabilities. Vulnerabilities are risks that have not been mitigated. The goal of this analysis is to identify all of the potential risks; estimate the potential impact on your organization should that threat be realized; and make a properly-sized plan to mitigate that risk.

A few years ago, companies began to formalize the process of identifying their risks and the concept of a risk register emerged. There are many formal training programs and even software packages to manage risk registers, but in essence a risk register can be as simple as list of things that you should be worried about.

Some risks are common to all organizations such as physical theft of property. Other risks are pertinent to particular industries, such as damage to process control systems. Some risks are particular to your enterprise or organizational missions and will require specific knowledge of your operation to identify those risks.

If you don’t have a list of risks that you face, you should start one now. Initially it can be as simple as asking senior people from various parts of the business, “what keeps them up at night?” The topics can be broad to start. “Loss of intellectual property” or “Improper wire transfers” and they don’t need a cause or a remedy to get on the risk list. At PIPA, we see firms with less than a hundred risks in their register and other firms with more than a thousand. The objective is to get a list started, knowing Improvements will come with time.

With your list at hand, the metrics concerning each risk need to be estimated. These measurements include:

• The cost of an incident (assuming the worst case)
• The cost to lower the risk (which could be $0 if you want to accept the risk)
• The residual risk once you have taken steps to reduce it

Everything mentioned here thus far has been tempered with words like “estimate.” There are several reasons for this. Your business changes and the risks change. The list is not meant to be stagnant. Your risk tolerance may change. New technologies can add risks, but can also be used to combat risks. At this point, having numbers within an order of magnitude is good enough. You may fine-tune your risk register over time as you gain better insights into your business. It is a perfect example of where a continuous improvement process should be utilized.

Of the risks you face, cyber security risks are among the most complicated and thus the most difficult to estimate. They also change more frequently than most others and may have the largest negative impact on your organization. But because it is difficult doesn’t mean it shouldn’t be done. In fact, many regulators and independent audit firms have identified risk registers as a standard business practice that larger concerns should be following.

Even if you begin with an informal plan, we suggest that you start to put together a risk register so you can begin to understand a part of your business that can be easily overlooked.

Next week we will discuss more details about a risk register and how to begin to build one.

”The first thing you have to know is yourself. A man who knows himself can step outside himself and watch his own reactions like an observer.”- Adam Smith, The Money Game

A Scottish moral philosopher and a pioneer of political economy. One of the key figures of the Scottish Enlightenment, Smith is the author of The Theory of Moral Sentiments and An Inquiry into the Nature and Causes of the Wealth of Nations. The latter, usually abbreviated as The Wealth of Nations, is considered his magnum opus and the first modern work of economics. Adam Smith is widely cited as the father of modern economics.