With apologies to HBO & George R.R. Martin, here is a lighter, if not informative look, at Information Security (IS) Risk Management for your organisation – Game of Thrones (GoT) style!
Whether you’re a casual viewer or a GoT fanatic, you can rest assured that there are no Season 8 spoilers here.I could talk about the effectiveness of perimeter security, swipe cards, technological defences or perhaps the 24x7 monitoring of your defences like the Night’s Watch, but that would be too obvious.
You need to regularly audit your assets (Do you know all your assets? Hardware, software, information, people?) and the protective measures you surround each with (in other words, The Wall). You should consider what has changed in the internal and external environments that may impact The Wall, assess what this could do to your asset and take measures to improve your protection controls. This is active IS Risk Management in action.
Game of Thrones is a massive worldwide success. Millions of viewers tune in to every episode and are fixated on every action and every word. Why? Is it because of the glorious landscapes, epic battles, the “who will die next” scenes or the special effects?
Perhaps. But maybe part of the reason is the political intrigue, the human sociology, the ability for those that appear to be the physically weakest to have such command of their environment – be it at the dinner table, the gardens, or council chambers.
You too must be in control of your environment. When identifying your assets and the protection controls for each, you should consider the people involved, the processes undertaken and the technology supporting them to ensure you remain in control of your security environment.
One of the elements I like most about Game of Thrones is its strong characters. Unlike other fantasy genre series where there may be a small number of strong characters, GoT is full of strong characters. They range from elder Night’s Watch men to young children who must find their way and survive through adversity. How do they do this? What makes the difference?
The youngest female Stark is faced with more hardship at age nine than any normal child could handle. Yet, she ends up as one of the most accomplished fighters. Every chance she gets, she hones her skills: training, learning and improving.
We too have to be like the best of warriors in Westora.
We must all strive to learn every day. Identifying weaknesses in the business processes, locating the risks to your success and SPEAKING UP! No one in your organisation should be afraid to raise an issue or concern. While we all have different views, we also all have worthwhile input and a common goal. A company is made up of its people and their voices should count.
In IS Risk Management, your ravens (warnings) can come in many forms. Reports from deployed technology like your IPS or IDS, financial reporting, operational audits, observations by experienced staff (who have “seen it all before”) and all of our employees’ concerns and worries. These are your messages.
A successful IS Risk Management programme must have the ability to read the message in a timely manner, understand it or seek clarification, communicate it to the right team or person and then act on the message accordingly. When you accomplish this, you increase the chances of reducing the IS risks to the data processed by your business and ensure its continued existence for another day. You must stay vigilant for ravens and understand their news – dark or not.
In your company you should take time with the technical tools (your weapons) you have and start to discuss the risks to your business (your words). Across all teams, you should introduce risk awareness workshops so that everyone can identify and describe the risks to your company’s existence. The workshops should allow team members to, in a ‘no-blame’ environment, openly discuss the risks to the success of their work. Project managers should challenge their project team, senior team members should query their team. Everyone needs to get involved in IS Risk Management.
Even if you have never seen or read Game of Thrones, you may have noticed on the Internet the regular references to “Winter is coming”, the motto of the House Stark.
You should not take part in IS Risk Management solely when it’s needed. Such as when clients or potential clients come visiting, or at times of audits, etc. You must embed IS Risk Management into daily practices.
Ask yourself questions like:
The last one relates not only to negative issues but also to opportunistic ones – opportunity risk is an often-forgotten element of risk management.
Final Season
As promised, there are no spoilers here. The final season of GoT will return shortly and I hope you enjoy it. For IS Risk Management though, there is no final season. It has been, and will be, re-signed for another run, and another run, and…well, it will never end.
It should be as constant and ingrained as the most daily task you have. IS Risk Management doesn’t have to be dull, it can reap great rewards. Just use your imagination when telling the IS Risk Management story to your organisation – it will help with your company’s success story.