Know how to measure, use and resolve risk issues and use it to deal within your organisation.
Speaking at 44CON in London, security director Thom Langford said that many companies struggle with their risk appetite and do not understand it and not without reason, as it may change from one country, culture and office to another.
“Accepting risk is a good way of dealing with it as you aware of it and you understand risk to the business,” he said. “Balance probabilities and understand what the risks are and how it affects you. Risks commoditise. 15 years ago denial of service didn’t happen and now they are everywhere.”
Langford said that looking back at history, we can learn and improve on what we do today, but despite that, we don’t always follow advice. “No one removed anti-virus despite Symantec saying it was useless,” he said.
Talking on how to deal with risk, Langford said that you still “need to treat it and use it and have a flexible risk responsibility, but just because nothing is happening, it doesn’t mean it is not a problem,” he said.
“When you measure risk and mitigate, have something in place for when it starts to go wrong. Incident management is a good option as you need to reduce impact, but incident management needs to tie into risk management.
“Also recognise and understand the difference between hygiene and actual risk – when does it matter and when it is a knee jerk reaction. How are you dealing with risk, and appreciate the differences.”
Langford concluded by encouraging delegates to spot patterns in risks and detect what has become a commodity, and appreciate that just because it has been mitigated, it doesn’t mean it has not happened. “Don’t suffer a placebo effect,” he said.
“It is about a regular review of your risk matrix and what is causing you a problem as a professional. It is about having an effective approach and communication with the board, they just want “are we secure”, but making sure you have decent communication skills and putting them across.”