July 12, 2017  |  Risk Management  |  Security

Mitigating Risk: Perception is Reality!

We are in the information age, where information is gold!

White digital padlock over circuit board ground“On May 12th 2017, cyber criminals launched what is believed to be the biggest ransomware attack ever recorded. This ransomware outbreak, dubbed “WannaCry,” spread with unprecedented speed, taking down the systems of more than 100,000 organizations in over 100 countries—all within a span of 48 hours.”  (Kelisky, 2017).

We all see risks differently. First of all, what is a negative risk?

I like to define it as, a perceived vulnerably that negatively impacts an objective. The key here being the word perceived. An expert information security specialist will have a vastly different perspective on the risks associated with using non-vetted third party software on the company web site to process customer transactions than the management team running the project. Experts like these help the project team plan for what may happen.

During the fourth quarter of 2013, Target was victim of a malware attack in which the criminals stole names, addresses, and phone numbers of over 70 million people. Target is a large company, how could they not see this coming?

Every publicly traded corporation has to file 10-K financial statements with the Security Exchange Commission (SEC) and part of this report is a risk assessment.

In Target’s 2012 10-K a risk was identified as, “A significant disruption in our computer systems that could adversely affect our operations.” The description goes on to say, “If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.”

This was three risks below “weather conditions impacting consumer shopping patterns.” It was clear that Target’s Executive management lacked a realistic perception on the risks of network vulnerabilities. The CIO is ultimately responsible for measuring the risk to information systems and connecting that to stakeholder’s investments into the company.

Markon’s Risk Solution team manages our standard risk management process and template to assist PMs and clients alike. Our goal is to simplify the risk management process, so that we can create a risk aware culture.

 

About the Author

Matt Davis

Matt Davis

Matt Davis has been a project/program manager in the U.S. Government space for 14 years, and has managed both large and small teams. He served over seven years in the U.S. Army while earning a Master's Degree in Business Administration. After the military, he earned several industry certifications to include: PMI-PMP, PMI-RMP and PMI-ACP. He loves challenging himself to learn new ways of doing things. Matt believes that working with people is probably the most important thing he does, and that it is a beautiful thing when a group of people can work together toward a common goal.