Q&A

Frank Bernhard: The Art of Uncertainty

To hear Frank Bernhard tell it, economics is anything but the dismal science—and risk management is the key to a CSO's success.

By Elaine M. Cummings

Page 2

Likewise, you have to set thresholds in your enterprise within your control for the amount of risk you're willing to accept. Then determine where to establish a coefficient that's within your comfort zone. How do you determine that threshold?First, consider your resources and possible contingencies. If the risk of losing a server is greater than the ability to recover the data in that server, then do not proceed with whatever procedure might jeopardize the loss of the server. You start with asking yourself what the very essence of risk is in your enterprise. The answer will be very individualistic. And the trade-offs are numerous.What would you identify as the number-one area for information security concern today?It's threefold, really. First, you need to control access. Most attacks happen because people have access to systemsnot the server, per se, because the server is the only end point of access. Access happens when I walk into the building. So you need to think about access cards that give free-moving entrance to facilities. Access may also be logging on to a network. So you create passwords or authentication to the network.

The second part is to think about information assets and their hierarchy in the organization. For example, is your customer data the most important asset to running your organization? Or is it the financial systems? The supply chain system? Or your data warehouse? And do your employees use the data on their desktop, or is it used strictly on a protected server? You have to start by doing some hierarchical mapping of what your information assets are to prioritize what is most at risk.

Then, thirdly, you need to consider mobilitythe combination of access and assets. I mean, how do people interface with your systems? You have wireless LANs [local area networks] and VPNs [virtual private networks], and all that comes with technology, but the problem is, you still have people in the equation. And people are using systems and assets outside of the wired environment that they've traditionally operated in. So they have to come back to the basics of how to control that mobility.And then how do you know how much to spendand on whatto mitigate risk?It's difficult to know how much spending is enough. You need to determine how much risk you're willing to accept and assume. And then financially and methodically compute that risk. And that's where most people really get stuck. Either the tendency has been to spend without concern for a bottom-line impact or go overboard with governance that maniacally destroys the productivity of an organization.