Measure Your Risk IQ

It's not enough to merely assess security risks. Rather, a company must know how good these assessments are. This five-step approach lets an organization prioritize project portfolios before mitigating any risks.

IT groups face a barrage of demands from CEOs, CFOs, auditors, and boards to ward off new information-security risks such as subtler viruses, evolutionary hacking algorithms, and strategies that exploit wireless connectivity. With resources already stretched thin, IT security executives will have to do ruthless triage. They must discern which security risks pose the most substantial threats, which are small enough to postpone taking immediate action, and—perhaps most important—which are threats for which IT lacks sufficient risk-evaluation abilities.

The usual way to prioritize these projects is to measure the risk in terms of worst-case scenarios that could result if nothing is done: For example, loss of customer information and the attendant legal ramifications; or loss of revenue, reputation, or brand appeal. But since many information-security risks are just emerging, there's little in the way of data or best practices, making it hard to ascertain the frequency or severity of some security problems with much confidence. In fact, some risks that appear small may be worth mitigating first because we can't really grasp their implications. In short, CIOs and CISOs need to go beyond merely assessing security risk; they must assess their assessments.

Not all security risks are created equal, so CIOs shouldn't regard them as interchangeable, acting as if their IT teams were equally good at monitoring them all. Typically, they first estimate the worst-case loss, or the asset value at risk in their organization based on some standard level of confidence. Next, they estimate the cost of a security project designed to mitigate that risk. Finally, they rank the projects based on some measure of expected return—net benefit or ROI.

A broader approach is needed. That's why my colleagues at the CIO Executive Board and the Information Risk Executive Council focus on how worst-case loss estimates from different parts of a corporation add up at the enterprise level. These aggregates are then used to determine which business-unit risks contribute most to enterprise risk. Surprisingly, the biggest contributors aren't always the ones with the potential for the largest worst-case loss at the business-unit level.

Did You Know However, bias exists because every organization is likely to be more sensitive to some kinds of security risks than others. Moreover, risk competencies will differ from business to business.

For example, one company may know from bitter experience just what a breach of customer data privacy can cost in terms of customer flight, damaged reputation, plummeting stock price, and the like. Another company might have learned the hard way about how information-integration efforts can compromise records. It would be a mistake to assume every company has the same strengths and weaknesses in assessing fast-evolving information-security threats.

In general, diversified financial-services companies have had to think hardest about how their assessment competencies vary from risk to risk in light of new Basel Committee capital requirements for operating risk. Some energy companies have also thought about their advantages and disadvantages in anticipating commodity risk.

The strengths and weaknesses we all have in assessing different kinds of discernible risks are what I call risk intelligence, which varies not only from company to company, but also among departments within a company.

Based on this, a critical new step in spending time or allocating resources can be added to the assessment process: Ask which risks your organization is skilled at determining. Then, separate high-risk intelligence projects from those for which the organization has low risk intelligence before deciding which to pursue first.

As I detail in my book, Risk Intelligence: Learning to Manage What We Don't Know (Harvard Business School Publishing, 2006), begin by listing the main risk types your organization faces. Your list may look something like this:

Customer-data privacy.

Confidentiality of internal operating data.

Network security from external threats.

Data integrity, especially during transfers and integration.

Reliability of authentication.

Wireless-system security.

Security development and functionality.

Vendor integrity and reliability.

Ability to effect organizational changes required by secure processes.

The best way to assemble a list is to canvass operating managers. Those from the audit, legal, and marketing departments may have useful perspectives; and don't forget to talk to other IT managers, too. Ask for estimates of worst-case losses from the risks of your business partners over several time intervals: a month, a year, five years. Ask about the cost and reliability of mitigating them.

In the end, you should have a list that captures the risks that account for the lion's share of information-security problems. Now you must assess your risk intelligence for each.