Information Risk (InfoRisk) is the potential that valuable information becomes compromised with respect to confidentiality, integrity or availability. Organizations must learn to assess and manage InfoRisk.
InfoRisk is often regarded a matter for experts. And yet it concerns most services or systems that we construct and operate. In-house specialists must become "scalable" by training colleagues and devising methods for Security Risk Assessments (SRA) by non-experts.
InfoRisk can be emergent and involve several areas. A first step will be to establish territories with corresponding Risk Owners (RO) who are accountable for driving their own SRA. We can think of this local ownership as risk maturity. How can the CISO (Chief Information Security Officer, or similar) measure risk maturity?
Many SRA present an incomplete view. Either those involved were mostly interested in certain things (such as the next version of a system) or key competencies were not involved. To what extent has the territory been covered?
To enable a coherent view of InfoRisk, every RO should report comparable results by using the same method. The challenge is to educate every new RO. For each reported SRA, to what extent has the common method been followed?
A scalable CISO should not need to be involved in every SRA. Each RO is accountable for planning, facilitating, performing and reporting his assessment. A mature RO will report on time, without being reminded. For each respective RO, to what extent is this true?
Using these aspects - coverage, methodology and regularity - represented on simple qualitative scales (e.g. low-medium-high), the RO can be given a "scorecard". This way of measuring (representing) maturity is also well-suited for a traffic-light dashboard towards top management.
Security officers should maintain an updated, coherent view of InfoRisk. In order to appreciate the picture, management need to understand "white spots". Are there critical services or systems where no SRA was done? Or is the most recent risk information outdated? By recognising (and developing) the maturity of each RO, the organisation will be able to interpret and qualify reported risk, and also find areas of improvement.