I think the concept of risk is something that people really struggle with. And their eyes glaze over as soon as you say "business impact analysis."
It all comes down to risk acceptance: How much would it take to put your company at stake? When don't you have a company anymore? And then, what's the cost factor involved in getting you to the point where you feel comfortable that that won't happen?So how do you get people engaged without painting disaster scenarios?You don't. But you don't want to scare them unnecessarily.For so many years, we in the security profession have cried wolf. The way we sold security was FUDfear, uncertainty and doubt. If we didn't scare our bosses to death, we wouldn't get anything. Now, was it really that bad in all the cases? Maybe it was, and maybe it wasn't.And now?Instead of using fear tactics, it's easier today to sell senior executives on things like being a partner to the business and getting a return on investment and making the processes faster, easier, better for the companyand saying, Oh, by the way, while I do this, I can eliminate some of your risk. You've said that security is becoming a business continuity job. What do you mean by that?The things I need to protect from a recovery standpoint are going to mirror the things that are identified in my security model. If you're implementing a good security practice, it translates directly into your disaster recovery modelto say, Here are the key systems that I have to have this kind of protection on, and they're the ones I also need to be able to recover. That's one of the reasons you will see a lot of folks in the CSO world who have both disaster recovery and security responsibilities. So security is really just one part of risk management?The chief security officer could as easily be a chief protection officer or a chief business risk management officer. It's a semantic thing. But we do it for the sake of the businessnot for the sake of security. Why do I want to put in virus protection? It's because the business can't continue if we get hit with viruses.What are the key elements of risk management, then?There are really three: physical security, information security (and I take information to be information, period, regardless whether it's electronic or hard copy) and business continuity. But some companies have people who do information security, and people who do physical security, and people who do business continuity; and the three never meet, which is a big mistake.Like inventing the wheel three times.Exactly. And the three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.A lot of people, especially those close to the 9/11 attacks, are disappointed by our short collective memory. Why is it?As a society, we're forgetful and forgiving. A majority of Americans have gotten on with their lives and don't want to be reminded of what happened. We had a small window to try to change a lot regarding security and business continuity. Unfortunately, it wasn't during a strong economic time. If a company missed that window of opportunitywhere the need for continuity planning was so horrifically illustratedare they out of luck?It's never too late to start planning.I suspect that's easy to say but a lot harder to do.But you have to. If you don't know the impact of an event, you're more likely to push it aside and decide it's not important to do a lot of business continuity planning. The real fear comes in when you commit to the fact that you want to know that information. And what I would profess is that a lot of companies don't want to know it because they are afraid of any potential impact.Can't they just accept the unknown risks?To accept a risk, you have to know what the risk is and what effect it would have on the company. That's why you conduct a business impact analysis to determine, for example, what the loss is in money and reputation if a particular system goes down for more than three hours. Then you compare that with the cost to maintain that particular server with a backup of less than three hours. If the losses are $1,500 a day but the costs are $50,000 amortized over a period of time, maybe the risks don't outweigh the recovery. But the businesspeople have to know what those risks are in order to make an intelligent assessment.But it's easier not to go there.It's easier not to know what the risks are. But you have to understand what you're planning for. It's like insurance. You don't plan on having a car wreck, but you buy insurance. You may not have had an accident in the last five or 10 years, but you still pay it every year.But most of the time you're not going to have a car accident.And most of the time the World Trade Center is not going to fall on your head. We got hit in 1993, so the building will never fall down, right? Don't ever tell me that things won't happen, because I experienced one of those. I was there that day, in one of those events that would never happen.
Available On Demand Sept. 30 - Dec. 30
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program. 
