About Emily Holbrook

Emily Holbrook is the executive managing editor for National Underwriter Life & Health and the former editor of the Risk Management Monitor and Risk Management magazine. You can read more of her writings at EmilyHolbrook.com.

Risk Management: Art or Science?

Is risk-based security management an art or science? That’s one key question posed to more than 1,200 IT professionals in a recent survey by Tripwire Inc. and  Ponemon Research. The report, “The State of Risk Based Security 2013,” asked: “In your opinion, is information security risk management an ‘art’ or ‘science’?” For the purposes of the survey, “art” was defined as analysis and decision-making based on intuition, expertise and a holistic view of the organization. “Science” refers to risk analysis and decision-making based on objective, quantitative measures. They found:

  • In the U.S., 49% of respondents said “art” and 51% said “science”
  • In the UK, 58% of respondents said “science” and 42% said “art”
  • 66% of enterprise risk managers and 62% of business operations respondents say  risk based security management is “art”
  • 62% of IT security and 56% of IT operations said “science”

“Business operations and risk managers tend to view risk management as more of an art because they don’t feel a precise answer is needed to be able to make a decision,” said Dwayne Melancon, chief technology officer for Tripwire. “People in these roles are looking for directional information to guide their decisions. On the other hand, IT operations and IT security departments tend to view security risk management as a math problem that has a very precise answer. People with these viewpoints are talking about the same thing, but they are using very different language, which can make it difficult to come to a mutually agreed point of view.”

The findings illustrate the diversity of opinion on the use of risk-based security management in the organization. These differences of opinion, those often times valued, can can potentially complicate communication and collaboration that is necessary within a business setting.

The following is an analysis of responses by job title:


2013 Hurricane Season: Active Storms Ahead

Saturday, June 1, marks the beginning of the 2013 Atlantic hurricane season. Forecasters from Colorado State University predict 18 named storms for the 2013 season, with nine of those forecasted to become hurricanes and four expected to be major hurricanes. The National Oceanic and Atmospheric Administration’s Climate Prediction Center warns there could be even more storms to hit the Sunshine State — up to 20, in fact, compared to the average of 12. If these and other predictions are right, Florida will see its share of storms this season.

But Floridians are not oblivious to these stats. As the the June issue of Risk Management states:

Regardless of the predictions, many Floridians were already expecting to be hit. The state that is geographically most vulnerable to Atlantic storms and has the longest coastline among the lower 48 (1,350 miles) has been spared each of the past seven years. Hurricane Wilma, one of seven major hurricanes that made landfall in the United States during the historic 2005 season (the year of Katrina), was the last storm to punish Florida.

With 2013’s predictions being far worse than those of 2012, businesses should begin preparing now. According to the Insurance Information Institute, 15 to 40% of businesses fail following a natural disaster. Of those businesses that recover, on average, it takes about 11.5 days for them to become fully operational. This is a recipe for serious revenue and customer loss.

Bob Boyd, president and CEO of Agility Recovery, a provider of business continuity and disaster recovery solutions, provides the following advice for businesses in the path of hurricanes (or any natural disaster, for that matter).

Before the Storm

  • Ensure you have tested and activated your crisis communications plan prior to the storm’s approach. Even if the storm isn’t on a direct path to your location, activating this part of your plan will ensure reliable communications with your stakeholders.
  • Backup all data on servers and personal computers, and ensure you are able to remotely access and restore the data to an alternate site without delay.
  • Move vital records, equipment, supplies and inventory to a safe or fortified location. Postpone any future deliveries or shipments until the storm passes and transportation routes are passable.
  • Fill fuel tanks of generators and all company‐owned vehicles, and ensure employees are familiar with your emergency transportation plan for critical staff. Plan ahead for interruptions including curfews, law enforcement roadblocks, mass transit shut-downs, and impassable roads and bridges.
  • Enable remote access to your company’s website and social media channels to ensure constant communication with stakeholders. Contact the media ahead of time to make sure they know how to reach your leadership and spokespersons.

During the Storm

  • Ensure employees are away from wind and flood hazards and know the company policy regarding inclement weather. Take into account the fact that coastal flooding and storm surge are the most destructive and deadly forces during a hurricane.
  • Establish teams working on a 24-hour schedule to monitor any equipment that must consistently remain on line.
  • Preemptively shut off any unnecessary electrical switches to prevent surges or electrical shorts and accidents before the necessary checks are completed post-landfall.

After the Storm

  • Watch and listen to local news and online media channels for damage reports, transportation outages, lingering flooded areas and other potential dangers prior to assessing your facilities.
  • Establish and follow company policies for limiting access to your facilities until the area has been declared officially safe by local law enforcement, inspectors or company officials.
  • Begin contacting employees, suppliers, critical partners and other stakeholders to ensure their safety and ability to return to work.
  • Begin salvage as soon as possible to prevent further damage to facilities, inventory and assets. Begin work to restore any critical business functions that have been interrupted by the storm.

As we saw with the last two major hurricanes (Katrina and Sandy), preparation is paramount. In the New York area, Governor Cuomo marked this past week as Hurricane Preparedness Week — asking the state’s residents to review their preparations for the upcoming season. With 2013 predictions well above the seasonal average, this is advice every Atlantic coastal state should take seriously.

Credit Card Hack Could Cost $80 Million in Illinois

A massive credit card breach at a Missouri-based grocery store chain could end up cost $80 million in Illinois alone, according to a court motion filed last week. So far, at least three lawsuits seeking class action status have been filed against Schnucks Markets, Inc., alleging a breach that has affected 2.4 million cards used at 79 stores between early December and late March.

As the St. Louis Dispatch reports:

The suits allege that Schnucks knew about the breach days, perhaps longer, before it revealed the hack, and should have told customers about it sooner. The suit filed in Illinois on April 25 says the breach cost customers time and money, requiring card holders to spend hours canceling and getting replacement cards, and re-setting automatic payments.

In its motion, filed Friday, Schnucks puts a figure on this effort, saying that an estimated 1.6 million card transactions took places at its 23 Illinois stores during the breach period, representing 500,000 unique cards — about one-fifth of the cards compromised in the breach overall.

Plaintiffs argue that state law in Missouri and Illinois says that any store that stores personal data relating to customers must notify those customers as soon as the store becomes aware of a breach. Schnucks, however, says that the data stolen from customer credit cards included card numbers and expiration dates, not names, meaning they were not required to notify victims. It can be said that this looks bad on Schnucks — customer service-wise and reputation-wise.

The case is likely to head to the U.S. District Court for the Southern District of Illinois.

Relatively speaking, $80 million is nothing compared to, say, the Heartland Payments Systems security breach of 2008, which resulted in the theft of information from more than 100 million credit and debit cards and a 20-year prison sentence for the perpetrator. But even that doesn’t compare to this list of the top five most expensive data breaches.

RIMS 2013 Lives On

The 2013 RIMS Annual Conference & Exhibition may have been almost four weeks ago, but it continues to live on through internet videos. The World Risk and Insurance News—an online television network—has released several high-quality videos taken during RIMS. The following is a recap of the conference, featuring interviews with RIMS Executive Director Mary Roth, Steve Hearn of Willis, Jason Harris of XL and Alison Quinlivan of Aon, among others.

To see more videos from the conference, click here.