Here's an example of the kind of battle I have on a daily basis trying to get people into a security mindset:
Me to Relationship Manager (RM): Can you please ask the client to complete the attached Business Impact Analysis (BIA) template so we can understand how valuable their data is in order to assess whether nor not the existing security measures are appropriate to the value of their data. It's important that they look at this from the perspective of what it would mean
to the business if the data was lost, disclosed or changed, based on worst-case scenario and irrespective of the likelihood of it happening or the security measures currently in place to prevent an incident. At this stage we need to understand the possible impact of a security incident, not the risk of an incident occuring - the likelihood and current mitigating security controls will be taken into account in the next stage.
(I also followed this up with a telephone call to ensure the RM clearly understood what I was asking for)
RM to Me: Please see the attached completed BIA
Me to RM: Thanks for that but can you please ask the client to amend the BIA to reflect the value of their data and impact of it being lost, disclosed or changed, without considering the likelihood of an incident occuring or the existing security controls in place. They've put in the summary notes that they have based their conclusions on the fact that they haven't had an incident in the past year (to their knowledge) and they have processes in place to mitigate the risk. Again, at this stage we're not considering existing security controls because we purely want to know the possible impact to the business in terms of financial loss, reputational damage, legal/regulatory penalties, customer impact, etc (as per the template) if the data was lost, disclosed or changed - we need to know the value of the data not the risk of an incident occuring.
RM to Me: I added in the extra comments - not the business. we just tried to add some common sense to the process - i.e. how the system actually works. If they had answered everything on a 'worse case scenario' then every answer would have been red, which I don't think helps anybody.
Me to RM: But that is the point, if it's all red it needs to be all red, you can't just change the value of their data because it doesn't help us. Again, this is the Value not the Risk, whereas the value would be all red, the risk value, taking into consideration existing controls and the likelihood of an incident might bring it down to Amber or Green, but at the moment I just need to know what it would mean to the business if their data was lost, disclosed, or changed, not the likelihood of it happening.
Finally the Relationship Manager understood what I was asking (even though I talked her through the process on the phone at the beginning and she made out that she understood).
You need a lot of patience for this job!