It is no secret to security and risk management professionals that security is a function of people, processes and technology. But when it comes to spending, historical data tells a very different story. Most organizations have traditionally spent a disproportionately high percentage of their security dollars on technology, relying largely on product-based approaches to solve their security issues.
Deploying technology may be easier than changing how employees think, or instilling the rigor of process within organizations, but it may not be very effective by itself. In this tip, we'll cover five steps that any organization can utilize to build a framework for mitigating business risk.
Step 1: Understand and define your information risk universe
To develop a comprehensive information risk management (IRM) framework, CISOs must first define
their responsibilities. For example, Forrester Research's framework consists of 17 domains that
span people, processes and technology. But defining these domains by themselves will be useless
unless each domain has appropriate controls to ensure confidentiality, integrity and availability
of information.
Step 2: Determine confidentiality, integrity and availability requirements
Not all areas of a business require the same level of protection. Contractual obligations and
legislative mandates may determine business controls for some organizations, but for many others,
informed
Requires Free Membership to View
judgment calls in conjunction with partners in line-of-business jobs is necessary. When
assessing the criticality of a function, answer these three questions:
- How confidential is the function? Assess the potential impact of a data breach for this function on your firm's overall business. For example, sanctions from the Federal Trade Commission (FTC) are often the least of a company's concerns; often times, companies pay a much heavier price in the loss of business reputation and ongoing litigation.
- Is the accuracy of this function's information relied on heavily? Next, assess the potential impact of data corruption, which can vary widely. For example, cases of customers receiving the wrong medication are more difficult to handle than customer support complaints.
- If this function is not there when needed, what are the consequences? Time is almost always money. You might not be worried about your instant message (IM) conversations being eavesdropped upon, but the company's Web site, which brings in $2 million a day, can't be threatened or knocked offline, even for a few minutes.
 |
||||
|
|
|||
|
||||
Step 3: Define your controls
The role of a security office has expanded considerably over the past few years. CISOs are now
responsible for areas such as business continuity, disaster recovery and compliance. There are
related areas that the CISO is not directly responsible for, such as physical security,
applications development and IT operations, but these functions have huge implications on the
overall security of information assets. CISOs need to monitor and measure the security controls in
all of these business groups to be able to do their jobs effectively. CISOs should employ a
framework-based approach to identify and measure these areas in order to track their progress over
time.
Step 4: Develop enforcement, monitoring and response mechanisms
An IRM framework must ensure that these controls are defined, enforced, measured, monitored and
reported. For areas where these controls may not sufficiently mitigate the risk, CISOs must ensure
that those risks are reduced, transferred or accepted.
Step 5: Measure and report
In a recent survey, Forrester found that the majority of security
metrics programs are still in their infancy or planning phases. The respondents cited two main
challenges in developing their metrics programs: finding the right metrics and translating the
security metrics into business language.
A lot of security managers are focused on gathering and reporting tactical and status update information. To develop a successful security metrics program, CISOs need to identify, prioritize, monitor and measure security based on business goals and objectives. They should then focus on translating those measurements into business language that can be of use to executive management when making strategic business decisions.
The enormity of the effort and struggle to find the right metrics for their organizations overwhelmed many of the CISOs we surveyed. Today, most organizations have good security policies and appropriate technologies and processes to enforce them. There are some monitoring and response capabilities, but a vast majority of organizations today don't have good security measurement capabilities. Measuring and reporting adherence to security policies is a critical component of your security program and should never be underestimated or overlooked.
Khalid Kark is a principal analyst at Forrester Research. His research focuses on information
risk management strategy, governance, best practices, measurement, and reporting. He can be reached
at kkark@forrester.com.
This was first published in January 2008