When we talk about risk management, we must answer three questions:
- What are you trying to achieve?
- What could prevent you from achieving your goal?
- What are you doing about it?
In most cases, organisations get the first question wrong by answering what their function is trying to achieve. For example one of the aims of a financial institution is to help customers achieve their dreams, but if you spoke to the fraud team within that same bank they may cite reducing fraud as what they are trying to achieve. Measures may then be taken to reduce fraud which then impairs the bank to be able to offer products and services to their customers.
We are in an industry that comes with risk. You cannot deliver products and services to customers without risk. The key is to manage your risks to be ‘As Low As Reasonably Possible’ (ALARP) and that allows you to achieve your goals. Taking an analogy from the airline business, it is safer for seats to be positioned facing the back of the aircraft in the event of an incident, however, passengers themselves prefer to face forward. Using ALARP principles an airline may be better having a minor increase to risk levels by leaving seats facing forwards as any changes may impact on bookings and the viability of the business.
Cyber threats can be dealt with in the same way using the same three basic questions. It is cheaper, easier and more effective to incorporate security at the product design phase rather than ad add on further down the line. Have a plan that addresses your worst case scenario and the steps you would take to recover, and consider metrics which help you assess the effectiveness of the security you have in place.
Businesses often take additional steps to be compliant with regulation. However in many cases, answering the three key questions carefully and designing to meet the the needs of the customers will often make you compliant. If you take the right steps then regulation should help confirm you are taking actions.