“Hey Ralph, I’ve got an extra ticket. Want to go to the game with me?”
“Sorry, I can’t. I’ve got to replenish this special powder I put in my yard to keep out elephants.”
“But Ralph, the nearest elephants are 150 miles away.”
“See how well it works?”
Are you, like Ralph, missing opportunities because of spending resources on ill-considered security precautions?
Bruce Schneier offers this perspective in Secrets & Lies: Digital Security in a Networked World, John Wiley & Sons, Inc. (2000), pp. 383-384 (2000):
There’s no such thing as perfect security, but that’s not necessarily a problem. After you’ve identified a risk, you can do one of three things with it: You can accept it, you can reduce it, or you can insure yourself against it.
Security does not have to be perfect, but the risks have to be manageable.
Perhaps you can accept the risk of elephants and reallocate the “special powder” budget to new business development.
In general, you’ll find that successful, productive businesses have reduced risk to an acceptable level. Of course, there’s a lot implied in that short phrase. How do we assess the risks? What’s an acceptable level? How do we respond to a risk event? How do we monitor risks over time? And most fundamentally, what is “risk”?
Here’s a definition of risk from NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, U.S. Department of Commerce (September 2012):
Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:
Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
Are you unsure what you should adopt for a risk management strategy? NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, U.S. Department of Commerce (March 2011) gives a perspective on information security risk management, which is an important part of your overall Enterprise Risk Management (ERM) program.
Balancing security risk against business opportunity is an ongoing challenge. Today’s decision about which risks are high for you and which are low will no longer be appropriate when external factors change. That’s why you should plan to regularly re-evaluate your risk management decisions.
As you strive to reduce risk to an acceptable level, consider the likelihood of occurrence. You could be like Ralph and make sure those elephants don’t trample your daisies. Or you could take a chance and go to the game.