Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
I have been talking for years about a new model of management.
The first goal is to implement a model that is predictive regarding threats and controls. This is to ensure that we are implementing controls before we have an incident or an audit finding.
Second is to have risk-level goals decided on by leaders of the organisation, not by the security team.The ability to ascertain the risk tolerance of the business gives us a benchmark to hit as opposed to just “guessing” and then getting political pushback.
Third is to institute a tight mapping between every control and its threat justification. This is to ensure we have a valid reason for each control we put in place and a response for each threat.
Fourth, we must have an assessment component to determine a desired result, as well as a true risk rating.
There are two main methodologies that I use to implement these.
The first is the equilibrium methodology, which works to establish a balance between the threats and controls. It achieves this by using leadership's perception of what appropriate risk level is at the fulcrum. The perception is obtained via a survey of executives that asks them how vulnerable are they willing to be for what value, as well as how much are they willing to risk.
This simple model is the businesses direction that information security should take and implement because it results in less debate over why the controls are being put in place and encourages stronger support from leadership to help push the initiatives through.
The second methodology is risk management. The concept of risk is rarely well-conceived or implemented in most organisations. In our strategy, we start by going back to basics. In building out a threat taxonomy that details the threats we have seen and could yet see, we lay the groundwork for the controls. From there we detail the specific controls needed to address each threat.
A three-tier controls model follows that lays out the policy, standard, processes and 'live' drift identification and remediation for each threat. The control gaps that are identified clue us in to what is needed in the security plan.
Lastly, an assessment of each control that is implemented is performed for efficacy. Then, findings are put in context with each particular environment, from which we can then derive three buckets of risk: value, brand and operational.
It is these three categories that get communicated to the business as the enterprise risk levels. These categories establish a relevant and understood language of risk to the business executives so it is intuitive to them. While nothing is perfect, this approach is a step forward toward implementing structure and predictive maturity to what is commonly seen as chaos and reactive.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.