Today's work force is comprised of people from at least three generations who have witnessed the rapid evolution of technology parallel to the evolution of flight. Just as the Wright brothers were laughed out of the hangar from which the airplane was born, our collective experience of the changes in the information technology field and what they mean to us has run the trajectory from skepticism to acceptance to absolute reliance. In 2012, the rise of cyber attacks took us from absolute reliance on our technical domains back to skepticism on how much risk we can afford to take.
Our servers have become clouds, our offices have become virtual and our work has gone mobile, with the mysteries of back-end connectivity, functionality and security locked behind the fuel chamber we like to call technical support. The question of whether we can connect and function securely is today's equivalent of sending a man to the moon: How can we maintain control when there are countless, inextricable variables into which we can never have full visibility? When it comes to cyber security, are today's business managers flying blind?
As much as we might like to believe that we can turn to our technical support teams to make security decisions, we must face the fact that they cannot legally assume the liability of risk exposure. That responsibility lies with the executive leadership in every organization. CIO's are required by the Clinger Cohen Act to answer for the risk assumed by the organization in using the Internet for commerce. CIOs are not always cyber security experts. What information is needed to make an informed decision on acceptable cyber security risk? How much risk is too much?
In order to make good risk decisions, each CIO needs to know a few basics: What do I stand to lose? If I can't stand to lose it, how much security do I need to protect it? Inherent in the second question is the understanding that vulnerabilities have to be identified and fortified with effective controls. However, when do we know we have achieved the necessary level of protection without going overboard and buying more security than we need? Or worse yet, that we locked the front door and left the back door open?
One tool available to the CIO to assist in understanding how to identify real risk to the organization is provided freely by the National Institute of Standards and Technology (NIST) Special Publications (http://csrc.nist.gov/publications/PubsSPs.html). Special Publication 800-39, Managing Information Security Risk, establishes a framework for companies looking to get their arms around risk tolerance. Special Publication 800-30, Risk Management Guide for Information Technology Systems, will provide a thorough risk assessment handbook. Having these tools in the CIO's arsenal may not assuage the anxiety of risk responsibility, but they will be flying high when they can justify to their leadership the risks they take every day on the world wide Web.
Submitted by Taranet