We find ourselves doing it all the time – using the word “risk” as a catchall for everything related to data breaches. As board-level discussions about data security become increasingly common, it’s important for us to be precise in our language so we can better communicate the need for action as it relates to improving data security.
A Common Vocabulary
I coach youth soccer and recently took on a team of entirely new boys. During practice, I was yelling at them to “go ball” and “cover pass right”, until I realized that none of the kids understood what I meant. I adapted by simplifying my advice to things like “run that way.” Talking about information security using industry buzzwords has the same effect, so we end up using the word “risk” to mean too many things. It’s the InfoSec community’s version of “run that way.”
Justify not Simplify
Instead of reducing data security and privacy compliance to “risk”, we are better served by taking the time to explain the individual components of risk, and also work towards an agreed upon risk tolerance. Chief Information Security Officers and other security leaders have a higher chance of getting the necessary resources if executives and directors are better able to make an informed decision.
Let’s get started:
- Incident: A suspicious event or policy violation that may or may not indicate a compromise or a breach until the organization has thoroughly investigated it.
- Compromise: A failure of security that is a direct result of a successful attack.
- Breach: Unauthorized access to sensitive or regulated data.
- Probability: The likelihood, typically annual, of a breach. For example, the probability of a data breach is 14% per year meaning a data breach is expected to occur about every 7 years (100 percent divided by 14 percent).
- Impact: The damage, typically financial, caused by a breach.
- Risk: The exposure to damage. In mathematical terms, Risk is the Probability of a breach multiplied by the Impact of a breach. In qualitative terms, we often use the words “high”, “medium”, and “low.”
- Risk Tolerance: The level of exposure that is acceptable to the business. Again, this can be qualitative or quantitative.
Vocabulary in Action
The next time you’re discussing security and compliance and someone says that a particular situation or action is “high risk” or “low risk”, stop and ask them to explain. The reality is that simply having possession of data such as personally identifiable data (PII) is not “high risk.” The risk comes from not taking any action to reduce the probability and/or impact of a breach. These days it’s very, very difficult to greatly reduce the probability of a data breach. Your best move is to make investments that greatly reduce the impact of a data breach. How is your organization managing this?
September 19, 2017