Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Threat Risk Assessment: Learning From New Sources
You are here: Home \ Security Practices \ Threat Risk Assessment: Learning From New Sources
Threat Risk Assessment - Learning From New Sources
Posted on Tuesday, August 2nd, 2016 by
This article was originally published in Canadian Security Magazine, in the May/June 2016 edition.

Security professionals managing risk programs can learn new approaches to assessing risks from a variety of non-security environments.

Related post: How TRAs May Prevent Data Leaks

 

Use of Personal Experience

One recent personal experience serves as an excellent example of how we can learn from new, and sometimes painful, situations.

A beloved family member was on vacation when they fell ill, and had to be admitted to a foreign hospital. The care was exceptional, but our family member’s condition worsened very quickly. The diagnosis was terminal, and the time he had left was short.

The medical team charged with their care completed an assessment of the family member’s condition quickly − our version of a threat and risk assessment. The medical team determined it was appropriate to airlift the family member back home.

At first, we were upset. How could this team of apparently heartless doctors and nurses dare consider it was safe to fly our family member home? Why couldn’t they simply let them be at peace where they were?

The flight was scheduled, and the family member flew home with their spouse. Shortly after they were settled into a local hospital, they passed away with the loss, but the hidden lesson is something I am now starting to understand.

The clinicians at the foreign hospital had enough supporting evidence, from decades of previous clients, to realize that the costs of managing our family member’s care would exceed his insurance coverage, and that (based on the risk assessment, or detailed physical examination) our family member would be more comfortable at home in Canada.

 

Same Approach. Different Fields

It struck me that these clinicians had followed an approach we have used in the security industry while conducting risk assessments.

  • We consider the business context of the risk, as did they.
  • We look at the current gaps in controls − their approach looks at the health issues and how ardently the body fights disease.
  • We determine if the risk is high, medium or low. Doctors determine the survivability of disease, and how fit a person is for travel.

The more time I spent understanding their approach, the more foolish I felt for simply reacting emotionally instead of trying to appreciate their risk methodology.

 

Lesson Learned

I learned some valuable lessons from this chapter in my life and career. While we are learning to become a risk-based profession, we have been collecting meaningful statistics regarding the human body and its response to disease for centuries. They have mapped our genome, developed vaccines we could only have dreamed about decades ago, and created protocols to cure some of our most damaging diseases. The medical profession has continually applied risk management theories against their body of knowledge − comparing how well their risk remediation plans (treatments, vaccines, and cures) have fared against their recognized threats (measles, high cholesterol, and cancer).

 

We need to keep focusing on a risk-based, business-focused approach to security.

As professionals, we need to continually review our body of knowledge and our past and current understandings of how we assess risks, and how well our remediation plans worked.

I’m not writing about the loss of a family member to earn sympathy, or publicly deal with the loss. I have always been a strong believer in using real-life examples to help our security profession grow into a risk profession.

This was the lesson I found once I got past the loss − he’d be proud I found it.

Tim McCreight
About author:
Tim McCreight is the Director of Strategic Alliances for Hitachi Systems Security.Prior to joining Hitachi Systems Security, Tim acquired over 30 years in the security industry with leadership experience in both the physical and information security realms. He held executive positions at a number of organizations, notably as the Chief Information Security Officer (CISO) for the Government of Alberta and as Director, Enterprise Information Security for Suncor Energy Services Inc.Tim has presented as a keynote speaker at conferences across North America on such diverse topics as enterprise risk management, converged security, and implementing enterprise information security programs. Tim was awarded his Master of Science in Security and Risk Management (with Merit) from the University of Leicester and attained his CISSP, CPP, and CISA security designations.Tim was interviewed by Canadian Security Magazine in 2011 for his work as CISO with the Government of Alberta, and is a regular columnist for the magazine. Tim is also the international Chair for the Information Technology Security Council with ASIS International.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now