It is no secret to security and risk management professionals that security is a function of people, processes and technology. But when it comes to spending, historical data tells a very different story. Most organizations have traditionally spent a disproportionately high percentage of their security dollars on technology, relying largely on product-based approaches to solve their security issues.
Deploying technology may be easier than changing how employees think, or instilling the rigor of process within organizations, but it may not be very effective by itself. In this tip, we'll cover five steps that any organization can utilize to build a framework for mitigating business risk.
Step 1: Understand and define your information risk universe
To develop a comprehensive information risk management (IRM) framework, CISOs must first define their responsibilities. For example, Forrester Research's framework consists of 17 domains that span people, processes and technology. But defining these domains by themselves will be useless unless each domain has appropriate controls to ensure confidentiality, integrity and availability of information.
Step 2: Determine confidentiality, integrity and availability requirements
Not all areas of a business require the same level of protection. Contractual obligations and legislative mandates may determine business controls for some organizations, but for many others, informed judgment calls in conjunction with partners in line-of-business jobs is necessary. When assessing the criticality of a function, answer these three questions:
- How confidential is the function? Assess the potential impact of a data breach for this function on your firm's overall business. For example, sanctions from the Federal Trade Commission (FTC) are often the least of a company's concerns; often times, companies pay a much heavier price in the loss of business reputation and ongoing litigation.
- Is the accuracy of this function's information relied on heavily? Next, assess the potential impact of data corruption, which can vary widely. For example, cases of customers receiving the wrong medication are more difficult to handle than customer support complaints.
- If this function is not there when needed, what are the consequences? Time is almost always money. You might not be worried about your instant message (IM) conversations being eavesdropped upon, but the company's Web site, which brings in $2 million a day, can't be threatened or knocked offline, even for a few minutes.
Step 3: Define your controls
The role of a security office has expanded considerably over the past few years. CISOs are now responsible for areas such as business continuity, disaster recovery and compliance. There are related areas that the CISO is not directly responsible for, such as physical security, applications development and IT operations, but these functions have huge implications on the overall security of information assets. CISOs need to monitor and measure the security controls in all of these business groups to be able to do their jobs effectively. CISOs should employ a framework-based approach to identify and measure these areas in order to track their progress over time.
Step 4: Develop enforcement, monitoring and response mechanisms
An IRM framework must ensure that these controls are defined, enforced, measured, monitored and reported. For areas where these controls may not sufficiently mitigate the risk, CISOs must ensure that those risks are reduced, transferred or accepted.
Step 5: Measure and report
In a recent survey, Forrester found that the majority of security metrics programs are still in their infancy or planning phases. The respondents cited two main challenges in developing their metrics programs: finding the right metrics and translating the security metrics into business language.
A lot of security managers are focused on gathering and reporting tactical and status update information. To develop a successful security metrics program, CISOs need to identify, prioritize, monitor and measure security based on business goals and objectives. They should then focus on translating those measurements into business language that can be of use to executive management when making strategic business decisions.
The enormity of the effort and struggle to find the right metrics for their organizations overwhelmed many of the CISOs we surveyed. Today, most organizations have good security policies and appropriate technologies and processes to enforce them. There are some monitoring and response capabilities, but a vast majority of organizations today don't have good security measurement capabilities. Measuring and reporting adherence to security policies is a critical component of your security program and should never be underestimated or overlooked.
Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at firstname.lastname@example.org.