What became very clear is that there is no simple definition or uniform set of guidelines to describe the role of risk management – for each company the precise role is shaped by its business purpose. G4S Secure Solutions, represented by Boris Goncharov, is a physical security company: its view is that there should be a single framework for all risks. "For me," said Goncharov, "it doesn't matter whether the risk is information or physical – at the end of it, the purpose is to protect your business assets; so all risks are managed within a single framework."
For Steria UK, a company with many different clients from both the public and private sectors, risk management is the process by which you find and focus not on all risks, but on those that are most pressing. The purpose of the risk manager is to transpose those risks into a language that the Board can understand – to make them business issues rather than technical issues – so that they can be tackled. "But only the most pressing five risks," said Matthew Lord. "You cannot expect the Board to handle all the risks you have."
And, he added, I never bother them with the basics – things like patch uptake and anti-virus. "They're under the radar and should just be handled." The risk manager should be watching for the new, developing threats –such as the rise of hacktivism – and take that to the Board before the risk becomes an event.
Skipton Building Society is a bank. Matt Palmer said "Our customers trust us with two things – their money and their personal information. If we lose their information, we will lose them as customers." So for Skipton, pure information security is central to the role of the risk manager. But while most risk managers report to the Chief Information Officer, he reports on the finance side of business, reflecting the importance of complying with Financial Services Authority (FSA) regulations.
This difference in approach showed itself in almost all areas. Asked whether the different companies maintained and used risk registers, Palmer said ,"Yes, we have them and we maintain them." Steria's Lord also maintains risk registers – but perhaps not so religiously as the bank. It is from the risk register that he selects the top five risks to take to the Board. Goncharov, however, is not so sure of the value of risk registers. "There are so many risks," he said. "The important thing is to protect the business processes – so we concentrate our efforts on that."
But despite the differences in detail, there is one common theme: the purpose of risk management and the function of the risk manager within infosec is not just technical - it's communications. It's the ability to understand the risks, but then to translate and communicate those risks into a business language that the Board can understand and to which it will feel compelled to respond. And one other point: these three CISOs discussed risk management as if they were risk managers. In practice, it would seem that the two functions are inseparable.