Industry experts generally agree that an acceptable level of risk is one that a business can overcome. Risk levels will therefore be different for large corporations compared to smaller companies.
Simon Perry from CA International emphasises that large companies are willing to accept more risk because of the amount of possible loss they could incur. "They will more likely have a dedicated IT team and larger budget to help deal with problems," he says.
But no matter the size of an organisation, the daily changes to risk security means companies must be able to track changes to their risk level, says Greg Day, senior security strategist at McAfee. He adds that this will enable businesses to balance the risk against their security investments.
<B>ITWeb Security Summit 2007</B>
Taking place from 22 to 25 May at Vodaworld, ITWeb's Security Summit will bring together international and local IT and security professionals, practitioners, industry experts and analysts. Delegates will gain an understanding of the key tools, techniques and strategies needed to safeguard their organisations' most valuable asset - information. International security guru, Bruce Schneier will deliver the opening keynote addresses. Click here for booking information.
"Acceptable risk is where businesses understand the potential security threat, the financial impact it could have to their business and deem it either too insignificant to action or they have deemed the cost of mitigation to be greater than the risk in their business," says Day.
Adding to this, Maiendra Moodley, technical security advisor of the South African Reserve Bank, believes that risk comes down to what a company's shareholders are willing to accept in return for the possible reward.
Traditionally reward can be associated with the expenditure and as such, risk can be associated with how much companies are willing to invest. Richard Stiennon, CMO at Fortinet, says that acceptable risk is incurred losses of 1-2% of annual revenue. Anything more than that warrants increased investment to reduce the risk.
But to justify investment, a company needs to consider how reasonable that investment will be, says Charl van der Walt, founder and director of SensePost Information Security. "For residual risk to be considered 'acceptable', the management of the company must be able to justify the decisions it took to these stake holders," he says.
Van der Walt says reasonable practice can be measured through four significant norms: international standards, national regulations, industry best practice and vertical benchmarks.
He adds that these norms can be a good risk indicator for any size business.
Related stories:
SA companies face 'governance challenges'
SA ups e-readiness score
Security is 'people, process, technology'
How much is enough?
The trade-off of security
Privacy essential for corporate governance
Share
