Most companies work regularly to reduce risk without truly understanding exactly what risk really is, or how much it should be reduced. Some managers will tell you that risk exists, but they won’t be able to tell you where or to what extent. Others can identify where a risk might lie, but can not tell you the impact to the company should the identified risky event occur.
Most technology managers tend to talk about risk in terms of security and disaster recovery. They’ve established firewalls and back-up systems with off-site storage to reduce the risk of loss of our data, but have little understanding of how the costs of these systems measure up against the risk of loss. The primary reason for this is they have little understanding of the real value of the data they are working to protect. This is, in part, because many technology managers don’t understand risk or how it is measured.
Risk, in general, involves loss, catastrophe, or other undesirable outcomes. Having your customer information, including their credit card numbers and details, posted on the web would be one such undesirable outcome. Having all patient records lost in a fire would be another. When asked, most technology managers agree that these things would be “very bad”, and they spend a large portion of their IT budget doing everything they can to prevent these undesirable outcomes. Let’s say as an example a manager is spending $5M on their cyber security strategy including software, hardware, and staffing. Is that the right amount? Too little? Too much?
To effectively evaluate the expenditure in context of its value, technology managers need to quantify risk. In the case of the data environment, to do so means understanding the real value of the data itself. The challenge here is that data, the ones and zeros stored on hard drives, has no real intrinsic value. Data, and the information derived from these data sources, is valuable only when used as the basis of business decisions. Thus to understand the value of the data, one must measure its value in the context of the business. It is necessary to analyze the data, its possible uses, and their value to the business in terms of costs and revenue. Doing so provides the technology manager with the insight necessary to reduce expenditures if the risk is lower than the $5M budget, or increase the budget if the risk is higher. - Dr. Jim