In this age of exponentially growing information risk, we can become like Dorothy was early in her journey and focus only on the things that can go wrong. We can get so caught up in what can go wrong that we forget to take inventory of what needs to go right.
Over lunch recently, a friend of mine with a career in risk management shared a helpful perspective on this. Instead of always approaching risk as trying to think of everything that can go wrong, think of what must go right first. That might sound like two sides of the same coin, but I think it is more than that. This approach helps to prioritize efforts and resources.
It’s easy to get caught up in trying to create an exhaustive list of everything that can go wrong. A problem with this is that it can:
- be overwhelming to the point of analysis paralysis, and
- tend to identify risk that may not be relevant to your situation.
There are some risks that may not be immediately pertinent to you. For example, the latest specification for encryption for data at rest for DOD contractors might not be at the top of your list. However, having an always-on internet connection so that you can make company website updates might be.
Take the hypothetical of a bike shop with three stores. Some things that must go right for the owner might be:
- Internet connection constant for running credit cards
- Customer information (to include personally identifiable information) retained for billing and marketing and only accessible by authorized employees
- Bookkeeper has secure connection to financials from outside the stores
- Safe, secure workstations available 6:00 am – 6:00 pm for employees
- 24/7 access to current inventory across all stores
These are some pretty basic requirements, but they help to prioritize need. By looking at these requirements for things to go right, what are things that can prevent this from happening? What’s the risk of loss of internet connection? Are we sure that customer information is available to only authorized employees? What kind of connection is the bookkeeper using? Do the workstations have regular anti-virus updates? Are there policies/guidelines on workstation use by employees? If the computer with the store inventory fails, is there backup? How quickly does it need to be recovered?
In spite of the risks of lions, and tigers, and bears, Dorothy was able to return to her mission and seek the Wizard. We must do the same and not lose sight of our business objectives in our analysis of the lions and tigers and bears.
Can you name 5 things in your organization that must go right for you to be successful? What vulnerabilities do these objectives have? What threats do they face?