Information Security Risk Management

By Oscar Kolodzinski oskolo@alumni.gwu.edu, oskolo@att.net

July 2002

What is at Stake?

A 2002 survey of 503 computer security practitioners in U.S. corporations, government agencies, financial and medical institutions, and universities was conducted by the Computer Security Institute and the FBI and reported that:

Ninety percent of the respondents detected computer security breaches within the last twelve months, and eighty percent admitted to financial losses. Two-hundred twenty-three respondents quantified their losses, estimated at $455,000,000. The previous year, one-hundred eighty-six respondents estimated losses at $377,000,000.

Many experts in the field believe that the above statistics represent only a small fraction of the actual losses. The reasons for this can be found in underreporting, as companies and organizations fear the impact of a public relations backlash as well as the ability or willingness to properly quantify those losses.

The Impact on Small- and Medium-Sized Companies

Small- and medium-sized companies are particularly at risk because they lack the in-house knowledge and resources necessary in addressing information security. This often leads to incorrect and/or incomplete diagnoses of potential dangers.

Often, information security is perceived to be within the domain of IT Management, and is considered best addressed by technological solutions. This approach, however, results in one-time, tactical solutions with often no follow up, which could prove to be costly and inefficient. Understandably, the problem is magnified during economic downturns.

According to an article in the Journal of Accountancy by Lawrence R. Quinn, a financial writer, "CPAs in internal audit acknowledge the importance of ‘stepping up to the plate’ on IT security issues to assure protection of information." He encourages CPAs to convince Boards and Senior Management to invest in talent and technology on an ongoing basis.

Likewise, outside CPAs and External Auditors should also provide proactive advice on information security to their clients who may not have the resources to address these issues in-house.

Charles Le Grand, Director of Technology Guidance at The Institute for Internal Auditors, says: "The auditing profession is under increasing pressure to provide assurance not only about the reliability of information, but also the security and protection of critical infrastructures on a global basis." He adds that, "although business owners, investors, and regulators continue to be key clients of audit services, the stakeholder role has expanded to include anyone else who relies on an organization, its products and services, and the confidentiality of private information in its possession."

CPAs are trusted advisors to clients and, therefore, whether they are auditors or consultants, they can play key roles in encouraging senior management to address information security.

A Senior Management Issue

Viewed from a risk management perspective, information protection is senior management’s purview. What is the value, for example, of confidential information regarding the launch of a product that is estimated to increase profits by twenty-five percent lost to, say, a competitor? Or destroyed by a disgruntled employee? What disadvantages face management in salary negotiations if the confidentiality of pay scales and employee benefits has been breached?

The concern shifts from viruses and hackers—which are valid concerns—to risk management, which focuses (among other things) on the potential source of the attack (internal vs. external), likelihood of an attack, and financial impact of potential loss or theft. A large financial institution faces different external threats than, for example, a small- or medium-sized manufacturer of ordinary, low margin products. Yet the internal risk could be similar or higher in terms of the company’s exposure and survival. Suppose the manufacturer’s competitors are able to obtain confidential customer lists and prices. Would the manufacturer be at a disadvantage?

Senior management needs to determine the IT risk factors they face. For all of its good intentions, IT management typically does not see the full company picture; their focus is keeping the network up and running. IT certainly should not make policy or strategic decisions without the approval of senior management.

Alignment of IT Security Risks with Corporate Goals, a Top-Down Approach

There is no "one size fits all" solution for information security. Every company is different. As a result, a strategic business analysis of threats to the company’s information provides a better long-term roadmap. Developing an IT security plan in this manner aligns information security ‘spending’ with current needs and future goals more efficiently.

The company’s strategic plan to manage information risk should include improving processes and controls, training, technology, and insurance. While there is no such thing as one hundred percent security, management is negligent when it does nothing, and is foolish to rely solely on technology.

Benefits of the Top-Down Approach:

1. Senior management, which holds the company’s larger vision, becomes involved with the steps necessary in protecting and securing not only information, but also its sources, information flows, and final disposition.
2. Liability issues become self-limiting: With rising concerns of security breaches, the company needs to take reasonable actions in order to limit potential lawsuits. These might be brought not only against the company, but, potentially against the officers and directors as well. A strong information security program could provide some defense in the event of such a lawsuit to show the company and executives exercised reasonable and prudent due care.
3. The company sends a message to its constituents signaling that it is acting as a responsible "corporate citizen" and doing its best—within its budgetary limitations—to protect the company’s assets and future. A top-down approach assists senior management in presenting a well-thought plan of action in order to protect information assets.
4. The top-down approach promotes scalability. The proposed methodology applies to companies of any size. It helps a company understand its overall IT security needs and helps to balance those needs against its available resources.
5. Current and future IT needs are linked to the corporate strategic plan, thereby ensuring that security spending is mapped to business priorities and related activities. This ensures cost effective, scalable security spending. Specifically, by linking security planning to the overall strategic business plan, the company can establish whether cutting edge technology is required, how much training is needed, as well as allowing the company to establish programs for purchasing new technology or insurance if deemed necessary.
6. IT security is viewed proactively. As such, there is a planning process driving the formulation of security measures. In principle, the goal of the top down approach is to switch information security spending from an expense mindset to an investment one. Leading the charge should be senior management. Taking a cue from senior management, the executives responsible for IT should address and budget for two main company needs: a) securing the existing structure; and b) aligning and transforming information security to meet the company’s future needs.

Information is a company’s key asset. There is every reason to protect it. Technology is at the company’s service, and it is indeed a valuable tool. It behooves senior management to take a formal risk management approach in determining how best to protect the company’s information assets

Further Reading

Banham, R. "Hacking It." CFO Magazine, August, 2000. http://www.cfo.com/article/1,5309,874,00.html.

Gabrielle, M. "Tech Risks Baffle Risk Managers, Companies." www.CFO.com, February, 2001. http://www.cfo.com/article/1,5309,2103,00.html.

Kaur, H. "Introduction and Education of Information Security Policies to Employees in my Organization." SANS Institute, August, 2001. http://rr.sans.org/aware/infosec_policies.php.

Scalet, S. D. "See you in Court." CIO Magazine, November, 2001.
http://www.cio.com/archive/110101/court.html.

---

About the Author

OSCAR KOLODZINSKI is an International Finance and Operations executive, with twelve years’ experience in consecutive positions of increasing responsibility in Fortune 100 companies. Mr. Kolodzinski has worked in Latin America, Europe, and the U.S. Most recently, Mr. Kolodzinski served as CFO for an international MSP and professional services firm with services focused on Computer Network Security.

He holds an MBA from George Washington University, and is a Certified Public Accountant in Argentina. He is bilingual in English and Spanish, with a solid command of Portuguese. He can be reached at 201.568.2586 and at oskolo@alumni.gwu.edu or oskolo@att.net.

 

References

• Computer Security Institute and FBI. 2002. Survey. http://www.gocsi.com/press/20020407.html.
• Quinn, L. R. 2002. "Risky Business." Journal of Accountancy, June: 65-70.
• Le Grand, C. 2002. "Pressure Changing the Audit Profession." The Institute of Internal Audit, June, 2002. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=451.

__________

Technical Editor Amanda B. Chaloupka, English Ph.D. Student, Rutgers University. amandachaloupka@hotmail.com.