Today, I am going to share an excerpt from a draft of my upcoming book, Making Business Sense of Technology Risk.
I welcome your comments and feedback.
Is the level of concern about cyber merited? Should organizations and individuals be as worried about the possibility and consequences of a breach as they are advised by the consultants, information security pundits, and in news reports?
The answer is “it depends”.
The potential for harm is not the same for every organization, in every nation, and in every industry sector.
For example, when I was with Tosco Corporation as head of internal audit, I was worried about the possibility that a hacker might breach our cyber walls and get to the control system in one or more of our refineries’ process units. Whether by accident or on purpose, they could change pressure or temperature settings and cause a fire or explosion that would likely kill or severely injure a number of employees.
But gaining access to our corporate systems was much less of a concern. They might disrupt our business for a while, but any consequences of the breach would not be of a magnitude that would cause the organization to fail.
After Tosco, I joined Solectron Corporation. This was a contract manufacturer of…