When it comes to cyber security, paranoia – or more accurately concern – is appropriate.
One challenge that some information security pros have is that they see cyber security as black and white. In my opinion, there is no black or white when it comes to cyber security, only shades of gray.
So when one of my team members came up with the term adjustable level of paranoia (thanks James!), I really latched on to it.
Each person and each organization has his or her own level of concern. Mine might be an 8; yours might be a 2. The interesting thing is that there is no right answer. If your risk number is a 2 then all that means is that you are willing to accept more risk in the process of running your business or your life than someone who considers themselves an 8.
The air bed company Sleep Number (R) has built an entire ad campaign around the tag line “What is your Sleep Number?”
So for me, the question to ask is “What is your risk number?”
The CEO might have one; the CIO another and the Board – well who knows.
It is important that the entire C-Suite and Board be aligned regarding the level of risk they are willing to accept.
Different industries might have different risk numbers; a building maintenance firm might say their risk number is a 2 while a hotel chain, where it seems there is a new breach to report every day, might be an 8 due to reputational damage.
On top of that, within a company, the risk number might be different in different departments. Marketing might consider themselves a 4 while product development might be a 9.
The important thing here is the process – that management have a discussion to assess the level of risk that they are willing to accept and, as a corollary, how much risk mitigation they might have to do. Likewise, at a department level, marketing, as I said above, might consider themselves a 4, but management might consider marketing a 7. That difference, if it is allowed to persist, might make certain risky activities acceptable to the head of marketing that would scare the heck out of the CEO.
This is a good time – whether you are in business or just personally – to ask the questions: WHAT IS YOUR RISK NUMBER? Then take actions to manage your risk consistent with your adjustable level of paranoia.
And, likely, you should revisit the question periodically to see if your paranoia level has gone up or down.
Information for this post came from CSO Online.