Paul Bennington, Associate at The Bayard Partnership, a mechanical engineer with over 25 years’ experience in automotive production, takes a fresh look at a familiar topic.
Have you ever been in a situation where you don’t know what product to choose? There is either too much choice, or in most cases, you don’t have the money to buy the best, so you must make a compromise. We must make trade-offs to get the best possible deal from the resources that we have. We start doing this as children, with limited pocket money, we go to buy sweets or toys and we must decide what is the best; colour, taste; size. As we get older, the stakes get higher and sometimes, in the complexity, we lose sight of the process. When it comes to IT security, I’ve seen IT specialists and business leaders either diving into solutions without understanding the consequences or stuck without any idea how to proceed.
I started my working career in the automotive industry. Just one big office. Security was more about us not getting hurt rather than protecting our information. The information was not in a computer, it was in a drawer under my desk and the only encryption was my bad handwriting. By the time I left the automotive sector, things had changed enormously. There were rules imposed on us by “management” that restricted where we could go on the internet, what we could plug into our laptops and even how we should take our laptops into meeting rooms. We were in a new world where industrial espionage was rife and there were spy photographers parked outside our office hunting for pictures of our new cars.
Four years ago, I retrained and took a step sideways out of mechanical engineering and into the IT world; not as an IT technical specialist, but as a technical writer and then as an auditor for IT security. I have read and re-read the standards for IT security and I can understand where the rules imposed on us in the car industry came from, but as a user, the fundamental reason for their use was never explained. As an auditor, the first thing that I would be looking for is the reason for applying any security rules.
The reason for applying IT security may sound obvious, but like the child in the sweet shop, we must make trade-offs and those compromises should be based on a risk assessment. To many people the risk assessment sounds complicated but, in reality, it can be very simple. There is one question to ask: What is this information worth? And the common currency of worth is money!
There are two basic principles to remember in making a risk assessment.
- Cost based: What would it cost if the asset / information was lost? There are many ways to define “lost”, among them are: Cost of replacement; cost of lost revenue; cost of legal fines; cost of damage to reputation.
- Keep it simple: any risk assessment must guarantee three principles. The results must be repeatable, transparent and valid. That means that regardless of who makes the assessment or who reads it, they must all agree on the result. I recommend having a minimum of 3 and a maximum of 5 levels in your cost table. The different levels should be broad enough to be easy to apply. For example:
- less than €50
- €50 to €500
- €500 to €5,000
- €5,000 to €50,000
- above €50,000.
In the first instance, the assessment doesn’t have to be more complicated than that. If you only do this level of detail, then at the end of the day, you will know how much your information is worth, what information is more valuable and, like the child in the sweet shop, you will be able to decide how best to spend your money.