Mitigating Risk: Perception is Reality!

We are in the information age, where information is gold!

“On May 12th 2017, cyber criminals launched what is believed to be the biggest ransomware attack ever recorded. This ransomware outbreak, dubbed “WannaCry,” spread with unprecedented speed, taking down the systems of more than 100,000 organizations in over 100 countries—all within a span of 48 hours.”  (Kelisky, 2017).

We all see risks differently. First of all, what is a negative risk?

I like to define it as, a perceived vulnerably that negatively impacts an objective. The key here being the word perceived. An expert information security specialist will have a vastly different perspective on the risks associated with using non-vetted third party software on the company web site to process customer transactions than the management team running the project. Experts like these help the project team plan for what may happen.

During the fourth quarter of 2013, Target was victim of a malware attack in which the criminals stole names, addresses, and phone numbers of over 70 million people. Target is a large company, how could they not see this coming?

Every publicly traded corporation has to file 10-K financial statements with the Security Exchange Commission (SEC) and part of this report is a risk assessment.

In Target’s 2012 10-K a risk was identified as, “A significant disruption in our computer systems that could adversely affect our operations.” The description goes on to say, “If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.”

This was three risks below “weather conditions impacting consumer shopping patterns.” It was clear that Target’s Executive management lacked a realistic perception on the risks of network vulnerabilities. The CIO is ultimately responsible for measuring the risk to information systems and connecting that to stakeholder’s investments into the company.

Markon’s Risk Solution team manages our standard risk management process and template to assist PMs and clients alike. Our goal is to simplify the risk management process, so that we can create a risk aware culture.