17
CHAPTER 2: INFORMATION SECURITY
AND BUSINESS RISK
As already outlined, a common fallacy for security
people is to think ‘any and all’ information
security risks will turn into severe risks for the
organisation. This is profoundly untrue. Although
every incident has an impact, the nature of said
impact requires scrutiny to find whether there is a
danger. Companies are not seduced into doing too
much – usually they do too little – but the
credibility of security professionals (be they
consultants, CSOs, CISOs and so on) and their
analysis, papers, statements and expert opinions
suffers heavily from such generalised statements
as ‘any and all’. The result is that business people
and decision makers will ‘shut down’ and will n