Archive for the ‘Communication’ category

Should an Information Risk Manager Manage “Risk?”

March 7, 2010

Great Minds Think Alike

This post will summarize a provocative presentation at the RSA conference on Tuesday by long time security practitioner Donn Parker, and detail a similar approach that IREC has been recommending which we call Controls Maturity Assessment (CMA). We have previously referenced our CMA work in this blog, especially in this post. What is provocative about these approaches is that they both suggest making risk assessment a secondary consideration in your information protection strategy. (more…)


Information Risk Metrics — Necessary But Not Sufficient

February 15, 2010

IREC members overwhelmingly report that improving the information risk metrics program is at or near the top of their agenda for 2010.  Almost to an individual, CISOs tell us that the ROI calculation for their metrics program isn’t nearly what it should be.  Years of ongoing investment—staff time to collect and report metrics, expensive technologies to aggregate data feeds, etc.—have led to just a marginal improvement in tangible outcomes.

Organizations use metrics in the service of three major outcomes: 1) Communicate persuasively with executives; 2) Improve internal efficiency; and 3) Track the risk landscape.  In each case, good metrics are a necessary but not sufficient mechanism for solving the problem, and leading organizations are working to find the correct balance between metrics and other decision tools. (more…)

Handy Resources for Responding to WSJ-Inspired Questions

September 23, 2009

Fortunately the three articles in today’s WSJ on IT Security are a lot less troublesome than those of two years ago. Nevertheless, it is a good idea to be ready to respond to questions coming out of the articles from senior executives and managers in your organization. The elevator pitch is probably,

Yes, we are well aware of these threats and have protections in place against them. I am concerned about <Vulnerability X> and I’d like to implement <Security Investment Y> to address that and reduce the risk of <Business Impact>. Can we talk about that next week?

With that in mind, here are some facts and resources that will be helpful to have handy. The articles have titles that address sources of threats, but go on to address a wide variety of related risks.  I’ll try to organize this post a little more consistently rather than respond to each article point by point. (more…)

Your CEO is going to yell at you this week

September 20, 2009

Just over 2 years ago the Wall Street Journal published an article “Ten Things Your IT Department Won’t Tell You”, which was basically a guide to circumventing security procedures, and making security look stupid in the process.  We’re confident anyone who was working in information security back then remembers the day this article came out, since they probably found out about it from an angry call from their boss.

We are unable to confirm it from a search of their web site, but sources tell us that WSJ will be publishing a special section on information security this week, so get ready to answer some potentially awkward questions.

For example, is your social media strategy ready yet?

Anyone with further information please get in touch.

We have confirmed that this section is coming out on Wednesday.

Obama lends CISOs a helping hand?

September 11, 2009

 This week Obama gave a warning to kids about their social media activities. I’d like spend some space here to analyze how effective this might be.

My first reaction to was this was “great!”. Oganizations–or more typically people in their organizations–are diving into social media use.  But, as we describe in this week’s Business Week, organizations lack governance and policies around social media. One thing our member CISOs have been working hard on over the last year is user educuation on appropriate use of social media. Any attention is a good thing, and this will likely get some play in the media.

Then I thought about our research into how security awareness messages change user behavior. We analyzed the differential effect of communications depending on the source of the message–manager, colleage, etc. We can probably draw a rough parallel between these corporate positions and people in a kid’s life:

  • Direct Manager = Parent
  • Colleague = Friend
  • CEO = Obama
  • Information Security = ???  Maybe a nerdy teacher at school?

With this, maybe it’s worth a moment to extrapolate from the data we have. Here’s a graph of the relative* effectiveness of these sources:

communication source

So, as we probably already knew, it is likely best for parents to talk to their kids about this subject, but the President’s message should be pretty effective.

* (Maximum Impact is actually an absolute measure, but a bit involved to explain here. Contact us if you would like more information.)

What the swine flu can teach us about crisis communication

May 8, 2009

Now that the swine flu seems to be more or less contained and on the retreat we can take a look at how institutions (especially the World Health Organization) dealt with this crisis and see if there is anything that we can learn from it.

The interesting part about this flu was that it introduced the WHO’s just recently updated pandemic alert phases to the general public. I think it was the use of this new communication vehicle that actually created more anxiety around the world than was necessary.

This new alert phases model the WHO introduced uses 6 + 2 phases illustrated below:


What is interesting is that the phases do not articulate the severity of a virus, they instead focus on the way the virus spreads — with phases 5 and 6 meaning widespread human infection, but not necessarily widespread human casualties, because that would depend on the severity of the virus.

Initial press reports usually combined stories about new deaths from the swine flu together with the WHO announcing a phase 5/6. The reason for the WHO announcement was to communicate to countries that as a pandemic, health services and other related government services needed to step up their game in ensuring containment.

But what happened was that by communicating this message to the general public, the message got mixed up, resulting in a scared public — mostly because it misunderstood the alert levels. The public thought that a move up in the alert phases meant an increase in the impact of the virus and that an increase in the impact would mean an increased chance to die from the flu. But that was not the case. As we now see the swine flu was much less deadly than most other flu viruses (while so far only one person died of the swine flu in the US, so far this year already 13,000 people died in the US of the general flu).

What could have been done differently? Instead of this one alert level, the WHO should have two alert scales — one for “internal use only” and one for the public. The internal use only should do exactly what the current one does; and that is make sure that contamination is being limited by warning relevant agencies about the level of transmission of the virus — how easy does it spread? The public one on the other hand should warn about how the virus spreads, how severe it is, what symptoms are typical. It shouldn’t create panic but instead educate the public.

What does this mean for information risk groups? Different audiences require different messages and different ways of communicating with them. There needs to be clear communication on how to respond to an incident for those who have to deal with the incident. Those who are directly impacted by an incident will have to know how to detect that an incident has occurred and be aware how to react to it. Those who are not directly impacted by an incident need to be kept informed about what is being done to remediate the situation.