NBlog Nov 24 - elaborating on information risk

High-level corporate, project and personal objectives are often very vague - “A trusted partner”, “A safe pair of hands” or “The best!”. Same thing with corporate mission statements (“Don’t be evil”), marketing/branding (“Just do it”), politics (“Vive la revolution!”) and more. To act on and hopefully achieve them in a rational, directed or controlled manner involves understanding what they really mean, peeling back the layers, exploring the meanings and interpretations in more detail – a process that is inherently uncertain i.e. risky. The upside risk (opportunity) arises from the understanding, insight, specificity and consensus generated as they are discussed, amplified and clarified, while the downside risk includes the opposites e.g. misunderstandings, hand-waving generalities and fragmentation of objectives. 

ISO/IEC 27001 tries to persuade organizations to think through their corporate or business objectives, elaborating on the information risk and security implications which form the main drivers for the Information Security Management System. I’m not entirely sure it succeeds though! Section 4 on the context for the ISMS is extremely important to the ultimate success of the ISMS but the standard's wording is succinct and complex, open to a wide variety of interpretations. It’s a topic we often discuss on the ISO27k Forum. 

It’s a tricky thing to do at the outset of an ISMS design and implementation … and, by the way, something that ought to be actively reviewed and updated as time goes on, not least because if it ISMS itself materially changes the organization. A sound ISMS affects not just achievement of the corporate objectives in this area, but opens up further possibilities for the business. A secure organization has more options.

Aside from personal or individual objectives, all the others involve groups of people working towards shared/common objectives (hopefully), and of course that creates room for differences of interpretation, approach, priorities etc. Hence communication is another risky aspect to this – not datacoms but expressing, discussing, understanding and agreeing on complex issues. It includes persuasion, possibly even social-engineering-type manipulation. This very email is an example: I think I know what I’m trying to say, but I’m certain not all of you will read it, get it and agree with every word! I’m taking a small risk by even expressing it. 

In the information security context, we have numerous objectives, some of which are hard to express and pulling us in different directions (e.g. strong authentication and access controls reduce the availability of information to legitimate/authorized users as well as to the illegitimate/unauthorized ones; strong compliance can be costly and counterproductive). I maintain that exploring and elaborating on them, emphasizing in particular the infosec objectives that most obviously and directly align with and support the organization’s business/strategic objectives is a powerful approach. It certainly makes it harder for anyone to block or interfere with the achievement of security objectives. It can be career-limiting to be seen to be acting against the organization’s interests. Resisting without being obvious about it remains a possibility however!