IT and security professionals should present IT risk in terms the board can understand, and stick to standardised assessment methods to achieve that goal, according to Unilever’s global security director.
Speaking at Gartner’s IT Security Summit in London, Andrew Strong said the consumer products group was using a risk model known as criticality and risk management assessment (CARISMA) and it had proved a successful means of explaining risk to non-specialists.
Strong said CARISMA was enabling Unilever’s board to make more informed decisions and to create a structured model to define and tackle risk across the organisation.
“It’s proved effective in convincing chief executives and financial directors of the need to talk about risk in more understandable terms,” he said. “In business we all know there are risks to our information, but what we also have to do is assess those risks consistently.”
Under CARISMA, Unilever’s IT security department established common processes and gained the endorsement of the financial director, before assessing the criticality of each risk and then providing a detailed risk assessment to executive management.
It also made what it called a ‘harm reference table’ that put each potential risk into categories from ‘mild’ to ‘severe’, and enabled a clear demonstration of how much damage could cost so that the correct level of preventative action could be taken.
Strong advised other security directors that if they were to do this, the wording should be graded according to their company’s appetite for risk.