Reputation Risk: Some Additional Thoughts

Thinking_Person

This is a follow-up post to the two part Richard Levick “reputation risk” series. The related posts are here: part 1, part 2, and some additional thoughts from Richard.

Below are my thoughts regarding some information and advice that Richard shared with us.

3.    What are the key components of a reputation?
Levick: … So the first rule is “Understand your reputation.”… If you don’t understand it, you can’t protect it.

This sounds like an absolute no-brainer statement but I cannot underscore how important this is for information security practitioners, especially those performing risk assessments. I have stated it elsewhere on my blog; we are in a unique position to truly gap the IT and business divide. Providing relevant business context to our leaders for the issues we want them to care about and respond to – is value for them and the company as a whole. In addition, this is more then just knowing buzzwords and when to drop them. We need to present ourselves as an authoritative reputation stakeholder when we talk about reputation risk to our managers and business leaders.

4.    How can reputation be impacted when there are IT security incidents?
Levick: … The issue is how the company behaves once a data breach is discovered….

So much can be written about this part of Richard’s answer; but let’s talk about this in the context of security controls. Generally speaking, there are three categories of security controls: preventive, detective, and response. So when it comes to reputation risk, I immediately try to consider what response controls my company has at its disposal to respond to a security incident that has the potential to be known outside our company.

There are two response controls that immediately come to mind (they could be called various things):

Communications Plan: Does your company have a communications plan? Does the communication plan take into account data loss or network breach scenarios? The questions are numerous….

Event Management Plan: Does your company or information security organization have an event management plan? How thorough is it? Does it tie into your communication plan? Do the right players in your company have a role in the event management plan? Again, a lot of things to consider.

Bottom line: The effectiveness of the response controls listed above can significantly factor into the magnitude of reputation risk. Now, when you factor in how and what is being communicated – that may be beyond your control – but I would challenge you to see these plans for yourself so when you estimate or articulate reputation risk – you are doing so with conviction and some level of confidence.

Finally, not everyone reading this may work for a large company that has a robust event management plan or a communication plan; let alone any plans at all. My advice, initiate the conversation and see it where it takes you or your management!

***

Something I heard while serving in the U.S. Marine Corps that has proved so valuable over the years is this: It is better to be tried by twelve then carried by six. Meaning, when faced with an opportunity to make a decision, escalate a situation, share information, or ask questions – it is better to do so NOW – and face ridicule / judgment – then do nothing at all. Take it for what it is worth…

***

5.    Can reputation be measured or quantified in units of dollars?

I agree that precisely measuring reputation in terms of dollars is challenging at best – but you can still perform some level of measurement. Generally speaking, reputation risk comes into play as a secondary loss form. Meaning, that certain incident information is known outside the company by someone that can be considered a stakeholder of our company (consumer, customer, government, etc…). A security incident could result in loss of customers, decreased sales, fines and judgments, class action law suits, negative publicity, etc…; most of which can be tied back to dollar values – and associated with reputation risk. Even if you disagree with this approach, if you are dealing with risk issues where reputation risk is a legitimate loss form, you can articulate that reputation risk is a contributing factor to the overall loss magnitude. Finally, I would caution using reputation risk as the FUD stick that Jack Jones mentions in a comment in post 2; but make sure your audience understands that you think reputation is an important part of the overall exposure; document it as well.

I hope you enjoyed the series. Have a splendid day!

Advertisements

Comments are closed.

%d bloggers like this: