This website uses cookies

This website uses cookies. The essential and functional cookies are necessary for the proper functioning of the website and cannot be refused. Other cookies are used for statistical purposes (analytical cookies) and are set only after you have made a choice. More information about cookies.
Blog overview

Trading risk against budget in IT security

Paul Bennington, Associate at The Bayard Partnership, a mechanical engineer with over 25 years’ experience in automotive production, takes a fresh look at a familiar topic.  Have you ever been in a situation where you don’t know what product to choose?  There is either too much choice, or in most cases, you don’t have the money to buy the best, so you must make a compromise.  We must make trade-offs to get the best possible deal from the resources that we have.  We start doing this as children, with limited pocket money, we go to buy sweets or toys and we must decide what is the best; colour, taste; size.  As we get older, the stakes get higher and sometimes, in the complexity, we lose sight of the process.  When it comes to IT security, I’ve seen IT specialists and business leaders either diving into solutions without understanding the consequences or stuck without any idea how to proceed. I started my working career in the automotive industry.  Just one big office.  Security was more about us not getting hurt rather than protecting our information.  The information was not in a computer, it was in a drawer under my desk and the only encryption was my bad handwriting.  By the time I left the automotive sector, things had changed enormously.  There were rules imposed on us by “management” that restricted where we could go on the internet, what we could plug into our laptops and even how we should take our laptops into meeting rooms.  We were in a new world where industrial espionage was rife and there were spy photographers parked outside our office hunting for pictures of our new cars. Four years ago, I retrained and took a step sideways out of mechanical engineering and into the IT world; not as an IT technical specialist, but as a technical writer and then as an auditor for IT security.  I have read and re-read the standards for IT security and I can understand where the rules imposed on us in the car industry came from, but as a user, the fundamental reason for their use was never explained.  As an auditor, the first thing that I would be looking for is the reason for applying any security rules. The reason for applying IT security may sound obvious, but like the child in the sweet shop, we must make trade-offs and those compromises should be based on a risk assessment.  To many people the risk assessment sounds complicated but, in reality, it can be very simple.  There is one question to ask:  What is this information worth?  And the common currency of worth is money! There are two basic principles to remember in making a risk assessment.
  • Cost based: What would it cost if the asset / information was lost?  There are many ways to define “lost”, among them are:  Cost of replacement; cost of lost revenue; cost of legal fines; cost of damage to reputation.
  • Keep it simple: any risk assessment must guarantee three principles.  The results must be repeatable, transparent and valid.  That means that regardless of who makes the assessment or who reads it, they must all agree on the result.  I recommend having a minimum of 3 and a maximum of 5 levels in your cost table.  The different levels should be broad enough to be easy to apply. For example:
    • less than €50
    • €50 to €500
    • €500 to €5,000
    • €5,000 to €50,000
    • above €50,000.
In the first instance, the assessment doesn’t have to be more complicated than that.  If you only do this level of detail, then at the end of the day, you will know how much your information is worth, what information is more valuable and, like the child in the sweet shop, you will be able to decide how best to spend your money.  
Written by

Paul Bennington

I am English by birth but have adopted Belgian citizenship. I have lived and worked in different countries around Europe. I have a Honours degree in Mechanical Engineering from the UK. I started as an engineer working for a heavy truck manufacturer in the UK as a test and evaluation engineer. I continued to work in the UK in different companies but always involved in evaluation and test for suppliers and manufacturers in the Automotive sector. Towards the end of the 1990's I became a project engineer, leading consultation projects from first customer contact through to completion of the test program and reporting of the results. At the turn of the millennium, I moved to Germany with my family and worked as a production engineer for a large American owned vehicle manufacturer with responsibility for maintaining the cost, quality balance for all the systems in the door. In mid 2000, I moved to Belgium where I became a department manager with a large Japanese owned vehicle manufacturer. This involved both management of personnel and liaison to the suppliers who worked with us. In 2006 I became a Principal Project Manager for total vehicle evaluation, and lead many evaluation teams with sometimes conflicting goals such as cost reduction, performance enhancement and innovation. In 2016, I retrained in the new General Data Protection Regulation and I am now a project manager and technical writer with responsibility for compliance to ISO 27001 for a global logistics company. My specialisation: Project and program management and team leadership. Product development and innovation. Physical product evaluation and testing. Risk management and compliance (data protection and data security). Technical writing. Information sharing and technical presentations, learning. Performance coaching.

Leave a response

*Required fields