I was watching The Cryptographers' Panel keynote session at the RSA Conference last week (http://www.rsaconference.com/videos/21/the-cryptographers-panel) and learned that the security geniuses have figured out how to capture decryption keys from laptop computers by acoustically listening to them. I was blown away by this piece of information because I grew up as an IT auditor thinking the coolest way to compromise a computer was through electromagnetic monitoring. Not any longer, acoustic monitoring is even cooler!
Beyond the realization that computers may need to be constructed in the future to prevent them from being compromised acoustically, this brand new, rather esoteric bit of technical information reminds me of a profoundly important principle of effective risk management: you not only have to have competent risk managers in place but risk managers have to be vigilant to changes in risk profile.
Changes in an organization’s risk profile originate both internally and externally. Changes in risk profile often originate from internal activities such as the introduction of a new product, changes in people, process, technology, and mergers and acquisitions. In the case of acoustic cryptanalysis, the change in risk profile originates from a brand new, externally discovered, technology threat.
In either case, risk managers need to proactively identify and assess changes and ensure that the organization’s risk profile remains within its tolerance level. This requires risk managers to be tuned into internal changes within their organization as well as external factors that could impact it. Staying on top of internal activities that may affect risk profile will be much less challenging for organizations that utilize GRC technology that automatically alerts them when such changes are occurring.
Staying on top of external activities that might impact an organization’s risk profile is more challenging. Evaluating the impact of externally originating threats often requires examining external data such as published loss events, market prices, interest rates, and credit scores on customers and vendors. It requires monitoring changes in regulations, competitive intelligence, customer preferences, economic conditions, and market demand. Lastly, it requires risk managers to understand their field of expertise not only from a historical perspective but to stay abreast of new and emerging threats that could impact their organization.
On-going awareness of internal and external changes is a big step toward removing uncertainty. It alone does not guarantee an organization will meet its objectives. However, organizations that effectively apply this awareness to evaluating changes in risk profile are much more likely to prosper over those that do not.