I had a discussion recently with a security manager when I came across the term “appetite for risk”. I never heard of this in information security and assumed it meant the level of risk an organisation is willing to accept.
That definition is vague because it treats the entire organisation as a single unit with one view of the risks involved in all its operations. I am interested in investigating how risk is viewed and would like to start with a small company which is experiencing growth along with changes to its appetite for risk.
To clarify, appetite in this term is not the same as ‘desire’ in the case of food. It is closer to tolerance of the various risks a company encounters.
The majority of companies are owned and operated by one person. In this scenario the appetite for risk with regard to information security can be very high. The IT systems used in these small businesses are usually machines placed in areas of the home where they can be easily shared with family members.
At this point, the business might not be entirely sure about its future prospects, it might be still testing the market, acquiring new customers, trying out a new product, getting to grips with the IT used. These all demand resources which are usually limited due to the number of people involved in the business. The appetite for risk is high because the concentration is on growing the business. The business is still in its infancy and information security would seem unnecessary.
I will disagree of course but also point to the basic security functions available through the operating system and applications software in use. The machines should be physically protected from as many domestic hazards as possible (heat, water, knocks and theft). All the business affairs can be assigned to a separate password-protected account. The documents on that account should be regularly backed up to an external drive. If the information is secret, it can be encrypted in the back up, on the everyday machine or in both places.
It is never too early to incorporate security into the operation. Doing this would help the business avoid avertable costs as it matures. A culture of security awareness keeps a business focused on protecting its data, developing new products that might usually be considered too insecure and enrols each member of staff as an additional guardian of the company’s information.
I will follow the development of the small company and the changing appetite for risk in my next post.
Photo by Norma Desmond
Comments