make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Data Security Strategies: Adopting a Risk-based Stance

05/20/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Take note of an alarming trend: organizations are concentrating too much on compliance. Sure, compliance is typically driven by law. We all have to comply with government regulations. But organizations would be well advised to stop approaching security controls as a response to compliance, and more as a core function that protects a key asset—that is, data. In this more sophisticated approach, companies develop programs to secure those areas of the business that pose the most risk if compromised. These organizations typically have superior controls over the ones mandated by compliance, and their data security strategies are far more relevant to the needs of the business. In fact, if everyone had adopted a risk-based approach to security to begin with, we probably wouldn’t have needed compliance regulations to be promulgated in the first place.

Data Security Based on Business Risk

Too often, a security program is comprised of troubleshooting and fire fighting, reacting to incidents as they arise and scrambling when audit time rolls around. By contrast, risk-based management teams align security controls with an organization’s risk tolerance. They conduct assessments and institute appropriate controls based on the varying levels of risk in each area of the business. Most organizations conduct some type of risk assessment to uncover gaps in their security programs. But taken to the next level, each of these gaps should be evaluated for the impact on the organization should there be an incident. How proprietary is the nature of the data? What kind of impact would it have on operations if someone stole the data? Are resources available to contain a serious breach or a vicious spear phishing attack? How much public trust can an organization stand to lose? To get to the bottom of these questions, cross-functional management teams must be engaged to help determine risk tolerance in their particular area of responsibility. The good news is, a risk-based approach will often times exceed compliance obligations. Simply by making decisions that are best for the business, compliance can be much more easily managed.

It’s Everybody’s Business to Evaluate Risk

Even though major breaches are constantly in the news, many executive management teams naively think it won’t happen to them. But the IT folks know better. The people who are protecting systems and data on a daily basis are aware of how exposed the organization is and how frequently attackers are trying to get in. The challenge for the security team is in communicating the critical nature of the situation and persuading the people in authority to allocate budget and resources for a better security program. For starters, it behooves those responsible for security to reach out to senior management in other departments and educate them on the current threat environment. Legal council, the audit department—even the board—will have a vested interest in understanding how vulnerable the company is should the organization be compromised. These individuals are in positions of leadership and can provide advocacy for allocating additional resources to security controls. While it may feel disingenuous to create such alliances, it’s not. Previously seen as the keepers of the data, it’s time for the IT staff to recognize that the burden shouldn’t fall solely on them, and that engaging the rest of the organization is in everybody’s best interest. One issue the security team often has is in knowing how to present their concerns. Because they are constantly dealing with intrusions, they tend to lead the discussion with a sense of urgency and a “sky is falling” mentality. But company executives are more persuaded by impact on revenues than by scare tactics. After all, systems are up and running every day without major security issues. Can the perceived threats really be that bad? When the security team does its homework and presents a business case for increased security controls, the threat to business operations—and ultimately revenues—becomes more clear. If the security team is unable to persuade the executive management team on its own, a third party perspective might be called for—knowledgeable professionals such as internal advisors, consultants and business partners. Local FBI cyber crime units are often willing to present to management teams at no charge. Not only can they share anecdotes about companies that have been devastated by attacks and the ingenious ways the thieves get in, they can also provide a more objective point of view than an internal team. Most companies are in business to create value for their shareholders. Simply put, this means increasing revenues and/or reducing costs. An investment in security controls does not have a direct positive impact on either of these measures. But a security team should be well versed in how to evaluate and communicate the business risk involved with each control. As such, they can educate their management team on what a sound security program entails and its commensurate impact on the bottom line.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity.