There are many kinds of risk: operational, legal, and reputational risk. Most large enterprise IT teams are comfortable and proficient at measuring operational risk. It features in reports as minutes of downtime, incidents of endpoint reimages, number of patches installed, hours of overtime.
Legal risk isn’t that hard to handle, either. IT can draw on peers, auditors, and legal staff for expertise.
However, reputational risk seems to be a far more unfriendly concept. I find technical people typically consider reputation a soft science, a squishy topic that can’t be measured. As a result, IT can’t set goals, gauge progress, or claim success based upon “reputation,” and product creators cannot specify requirements for “reputation.” Because it can’t be managed like other metrics, IT staff and technical business units may ignore or downplay reputational risk’s potential impact on the business—and their roles in protecting it.
IT is missing a gigantic opportunity
I believe you can measure or at lest approximate reputation, applying metrics to the same influences that affect your customers and your C-Suite executives: news headlines and stock prices. If you count the number of published reputation-buffeting events each month—the headlines in the email news summaries you receive from SC Magazine, for example—you can see what the public is talking about, and that dialog will affect the rise and fall of organizational stock prices. Reputation and market sentiment are huge factors in market valuation, which is something your CMO and CFO are tracking. Although your interest may be in the technical security side of the business, you can take actions to measure, manage, or mitigate reputational risk.
Building a Reputational Heat Map
Well before the mortgage crisis was discussed in the public and mainstream press, it was anticipated in whispers at investment community conferences and insider blogs. Eventually, and much too late for most people and the economy, it was covered in USA Today and other mainstream papers on the doormats of hotel rooms coast to coast.
Security issues that affect risk appear first in smaller, insider places, too. Then they migrate to the mainstream, to NPR, the Washington Post, Wired, and Vanity Fair. (Look at Stuxnet references on Wikipedia for a great example of this sequence.) With enough mainstream angst, trends start to register on the regulatory radar—with the European Community, the Federal Trade Commission, and others. We experienced this pattern with behavioral marketing. Privacy advocates raised objections in 2005, well before the FTC published its principles for behavioral marketing in December 2007. We are still seeing news and blog coverage on this topic today as companies experiment and push the envelope leveraging new technologies and relationships.
By the time a security topic attracts a reporter in the mainstream press, you had better have a strategy for that problem. You should be able to brief your boss with an assessment of your business’s risk, including the risk to your reputation.
This assessment is possible, but you need to be selective. Just as you don’t want to read every log entry from your IPS, you don’t want to attempt to assess all topics everywhere on the Net. Instead, think about YOUR audience and what they read—or you wish they would read. Look at two tiers of publications: mainstream media and online influencers, including blogs and news feeds. Sign up for emailed daily updates if they are available from the 3-5 most relevant sources. Also, if there is an “insider” conference, you can look at the session titles and monitor news summaries for perspective on what the industry thinks is hot.
That’s your pre-work. You should revisit these decisions at least once a year, or when your business or the markets change significantly.
Now, the ongoing process. Your workflow is to:
- Notice topics that relate to your risks.
- Count the number of times these topics are mentioned in headlines or news stories. Depending on your work style (and the frequency of the publications you are tracking), you might either jot down mentions as you see them or save these mentions in a file for review monthly.
- Create a spreadsheet: rows are the topics, columns are the dates. In each cell, note the number of headlines or significant mentions. If you think it’s going to be important, start to capture dates and publications (use links if you can) so you can back up your ideas. (Store this info somewhere else, not in the mention count cell, or you won’t be able to convert to a chart.)
- Once a month, use the spreadsheet’s charting function to generate a “heat map,” an assessment of which topics have generated the most energy in the news.
- If a relevant topic has generated significant coverage in insider publications, there’s a good chance it will reach the mainstream press. If you think this might happen, summarize your findings in a concise note to your boss and your security team. Include an overview of what the issue is, what the coverage has been so far, what the impact would be on your business, and what efforts might be appropriate to mitigate these risks.
Voila. You have quantified reputational risk.
Do this well, and you will be prepared if and when you need to discuss ideas with others. Instead of coming in with only technical data about a problem, you can talk with your colleagues in the context of the risk landscape. You look more strategic and more business-oriented. You are doing more, considering more, and recommending risk management efforts that are proportional to security. This position supports IT’s increasing need to do internal selling to non-IT people in order to get the right projects funded.
At a minimum, this exercise will keep your knowledge of the risk landscape current, and you will be more fun at parties. You can talk to non-security people about ideas that they will recognize and explain risks in terms that they can understand. Perhaps you will detect the next “mortgage crisis” level event in time to help a few people avoid its devastation.