The nature of risk management has changed over the past 2 decades. Previously isolated IT infrastructures are more connected with the outside world, and organizations face an ever-expanding threat landscape. Most organizations operate in a reactive mode, typically driven by an outside-in fear and avoidance approach where priorities are based on the latest known threat or new regulation. The challenge with this approach, in addition to it being reactionary and driven by outside forces, is that it promotes a keep-the-lights-on mentality, results in an inefficient use of resources and distracts from the priority of protecting an organization’s most critical data assets.
The motivation is primarily the fear of fines and reputational risk. For a security program to succeed and reduce information technology risk, a focus on driving business value by effectively mitigating risk wherever it may live is preferred.
The Risk IT Framework developed by ISACA includes the following core principle: Make IT risk management a continuous process and a part of daily activities.
This tenet is prescient because today’s threat landscape never sleeps. Digital transformation, SensorNet, cloud and DevOps are creating dramatically expanding attack surfaces. Attackers are constantly looking for a way in, and employees are finding new ways to accidentally expose sensitive information. Annual penetration tests or security reviews do not cut it. Regulatory-focused security programs cannot keep up. So how can organizations move from a reactionary approach to a proactive, risk-centric program?
- Know your business—Understand what information is most important to the organization. Understand what information assets drive the business and need more protection. One-size-fits-all security is not effective and can add substantial costs when it is not warranted. Talk to internal department leaders and get to know how security programs can add value to their lines of business.
- Conduct a comprehensive risk assessment—Doing so will uncover where gaps in your existing programs are against appropriate regulations, standards and best practices. An assessment will provide a risk model to help identify the most likely attackers, assets they are most likely to go after and the overall impact to the organization in case of an incident.
- Do not stop at a checklist—While a thorough assessment will provide a list of items to be addressed, move beyond a simple checklist. Each identified gap should be surrounded by control, planning and continuous risk monitoring.
Information security and risk management are not easy fields in which to succeed. These 3 basic steps can help you start transforming your organization’s approach to cybersecurity. The benefits of doing so include reducing security technology clutter, minimizing operational expenditures, and creating a program that is business aligned and more effective at reducing risk.
Read Brian Golumbeck’s recent Journal article:
“Moving Risk Management From Fear and Avoidance to Performance and Value,” ISACA Journal, volume 3, 2019.