Organizations need to understand and address information security risks both seen and unseen

If there is one thing I hate about driving, it is the left turn. Having been in two major car accidents, both of which included left turn scenarios (neither of them my fault), I believe I have good reason to feel the way I do. It turns out there are many others that agree with me.

Why UPS avoids the left turn

Follow a UPS driver around town and you'll notice something interesting; very rarely do they make left turns. UPS has known for decades that left turns are just not right (pun intended). Recently the New York City Department of Transportation concluded like many other previous studies, that twice as many accidents involve turning left versus to the right.

Interestingly, while in the midst of finalizing this blog article, CNN last week reported on this same subject. In their article, CNN highlights some results of this risk management strategy for UPS that are astounding. By implementing a right-turn focused initiative throughout the organization, UPS not only avoids accidents. They also save an estimated 10 million gallons of fuel a year; the equivalent of 21,000 cars taken off of the road!

Running a business always involves risk

The fact is, left turns represent just a small part of a multitude of risks we face each day of our lives, most of which we don't think twice about. Certainly my preference for steak and eggs closer to the raw side definitely increases my risks of illness and I admit from time to time has resulted in some quality alone time with a bottle of pepto. Being on the up and down roller coaster of business has been known to cause many of the same symptoms.

McDonald's founder Ray Kroc once said "If you're not a risk-taker you should get the hell out of business". Running and/or owning a business definitely requires thick skin and a short memory to properly deal with the associated huge risks. However, it is important to remember that not all risks are created equal, and some risks are just not worth taking.

businessman working

Applying risk management strategies to organizational information security

When it comes to your organizational information/data security strategy, what "left turns" can you eliminate to lower your risks while increasing efficiencies within the organization?

Of course you can’t fix something you don’t know is broken, which is why security standards like PCI DSS (Payment Card Industry Data Security Standards) and others begin with a determination of what the “in-scope” areas of risk or security gaps are in the organization. Just as airbags and seat belts help lower risks of injury or death in a car accident, it is important for organizations to constantly look for ways to lower or eliminate risks associated with information security where possible.

The following enterprise risk management strategy approaches are relevant for how organizations can and should address these risks:

    1. Avoidance: exiting activities that give rise to risk
    2. Reduction: taking action to reduce the liklihood or impact related to the risk
    3. Alternative Actions: deciding and considering other feasible steps to minimize risks.
    4. Share or Insure: transferring or sharing a portion of the risk, to finance it
    5. Accept: no action is taken, due to a cost/benefit decision

As organizations work to mature their organizational security standing and/or comply with security standards such as PCI DSS, it is imperative that they focus on first getting a clear understanding of what risks they are facing and which risk management strategy action is most appropriate for each risk. While many known risks can be addressed internally by an organization, it is most appropriate to bring in a qualified third party consultant that can look at your risks from an outside view, removing any potential conflict of interest and helping you to fully understand all of your risks both seen and unseen.

While many known risks can be addressed internally within an organization, it is always appropriate to bring in an experienced and qualified third party consultant that can look at organizational risks from an outside view. This is crucial to ensuring there is no potential conflict of interest and helps you fully understand all of your risks, both seen and unseen.

Semisi Brown is CRO at Protocol, a data security organization dedicated to helping organizations of all sizes increase information security awareness and risk management through education and efficiencies around PCI DSS and other compliance initiatives.