By Bridget Kenyon, on 12 May 2017
There is a type of security which is nothing but smoke and mirrors; a ceremony of actions which has no actual effect but that of making people feel better.
This can be a good thing, or a bad one.
What do we mean by “risk appetite”?
An organisation uses security measures to meet its obligations to other parties (including the government). However, the organisation also needs to meet its “risk appetite”. The exec and the board, or the senior management team, take the strategic priorities and plans of the organisation into account, then work out how much information risk is just short of “too much”. That level is its risk appetite.
Clear enough? OK, now remember that the organisation is composed of individual people. They each have their own individual risk appetite; their own idea of what is an acceptable level of risk.
Some people will think that the organisation is too draconian, with policies which are overkill. Others will feel their concerns on information risk are being ignored, and believe that the organisation is dicing with death.
When might ceremonial security be worthwhile?
For people in the latter category, you can implement something which makes them feel better about risk, but doesn’t actually make any actual difference. By doing this, you may benefit both the individual (they get to sleep at night) and the organisation (they get a better performing staff member and they are not over-egging the pudding).
When might ceremonial security be damaging?
What if you implement risk management activities which don’t have a beneficial effect, even though they are actually expected to? Let’s pick an example. Imagine that you implement mandatory virus scanning on your computers- but you take no action if a virus is detected, and no-one ever looks at the results of the scans. That’s a dangerous situation. You have something which looks like a very good idea, but is exactly useless. It may even have a negative effect on security, as you may assume you are safe from viruses, and let down your guard.
What’s the take-home lesson from this? Maybe it’s that there are different ways to see risk, but no “single right answer”. Those who look for the simple, easy way out are doomed to believe that they have found it.