What a Risk-Based Approach to Security Means for Your Business

Monday, June 20, 2016

Steve Durbin

D36d0936f0c839be7bf2b20d59eaa76d

As cyber security risks increase in number and sophistication, organizations need to switch from responding to incidents, to identifying them to prevent them before they occur.

Developing a robust risk-based approach to security needs to focus on supporting organizations to prioritize information security threats, understand the techniques that may be employed as part of the attack and evaluate the capability of controls to prevent, detect and respond to an attack. Without this knowledge, an organization will struggle to determine the level of exposure to particular threats and if their cyber incident response plans are structured and ready to address these threats when they arise.

Protecting Your Most Sensitive Information

Executives are familiar with the massive benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, efficiency, competitiveness and commitment to customers. Unfortunately, many struggle with assessing the risks versus the rewards.

One thing that businesses must do in this day and age is ensure they have standard security measures in place. One example of guidelines would be the Information Security Forum(ISF) Standard of Good Practice(The Standard).

The Standard is used by many international organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.

Institute a Risk Assessment Process

At the ISF, we define Information Risk Assessment as the process of assessing potential business impact, evaluating threats and vulnerabilities and selecting appropriate treatment to meet the business requirement for information security.

Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.

A piece of supplementary material that I advocate reviewing is the ISF Threat Radar. The Threat Radar plots the ability to manage a threat against its potential level of impact, thus helping to determine its relative importance for an individual organization. It can also demonstrate any likely change that may happen over the period in discussion using arrows.

It is imperative to remember that it is not practicable to defend against all threats. An organization therefore needs to look closely at its resilience: that is, what plans and arrangements are in place to minimize impact, speed recovery and learn from incidents, in order to further minimize impact in the future.

Further details on cyber resilience are available in our report Cyber Security Strategies: Achieving Cyber Resilience.

Preparing Your People

Many organizations recognize their people as their biggest asset. However, they still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control.

However, instead of simply making people aware of their information security responsibilities and how they should respond, the answer for organizations is to embed positive information security behaviors that will result in their behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real driver should be risk, and how changing employee behaviors can reduce that risk.

The position that disclosure will be more destructive than the data theft itself – is a sure-fire way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments. The lesson that we tell ISF members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. I strongly recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.

Focus on the Need for Cyber Resilience

Businesses are functioning in a progressively cyber-enabled world and the fact that traditional risk management isn’t nimble enough to deal with the risks from cyberspace activity. To put things in simple terms: enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. 

As global businesses, governments, and economies grow more interdependent, knowing how to build cyber resilient organizations will be vital to more than cyber security. We no longer hide behind impermeable walls, rather, we operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.   

Possibly Related Articles:
12571
Enterprise Security Security Awareness Security Training
Detection cyber-attack security risks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.