Mukul Pareek, CISA, ACA, AICWA, PRM
When thinking about risk appetite, it might be a rewarding exercise to self-reflect a bit and think about where real risk for an organization will arise. If we really understand risk to be related to the likelihood and severity of bad outcomes an organization wishes to avoid, we should be thinking about how bad things in the technology risk universe can occur in a business context.
Innumerable research reports, including the recent Verizon Data Breach Report
, show that the vast majority of attacks on organizations come from outside and not from within. The percentage of organizations that suffer from attacks by malicious insiders is small.
Unfortunately, the focus of auditors and technology risk professionals has traditionally been extremely inward looking and quite often detached from the reality of the true risk that they are charged with identifying and mitigating. Instead of working with the business on implementing real protection, a great deal of time and money is spent on security theater and protection from internal employees, even though historical experience shows that the insider threat is not probable. Examples of such misguided efforts include expensive projects to remedy developer access to production or ensure precise segregation of duties even in situations where such segregation is not commercially justifiable—merely to meet audit requirements. At the same time, Internet-facing servers are left vulnerable to attacks by outsiders and most organizations lack even the most basic capabilities to deal with a cyberattack if one were to occur.
Our standards and frameworks can often be equally inward looking and misdirect efforts when time and money should be spent on strengthening the Internet-facing perimeter, protecting against targeted phishing-based attacks, mitigating zero-day vulnerabilities, and being able to rapidly isolate and fix infected hosts. Any exercise that looks at risk appetite without considering the true risk to an organization and is excessively standards-, audit- or compliance-based is likely to be futile. Much caution is therefore advised when setting a risk appetite—avoid falling into the trap of looking at the familiar and mundane.