| | MARCH 20179CIOReviewmatured significantly in the last decade; in addition to cybersecurity, it now encompasses aspects of physical, personal, data, communications and network security. These disciplines are interconnected, so a weakness in one area affects the others. In response, the inclination is to ensure all parts are "bolted" down. While this premise is correct, over the last few years, we have seen the reality of cost and benefit analysis and the significant increase of security tools influence security programs. It is just not practical to have one of every security tool available. Therefore, this reality has brought about the merging of security and risk management practices to determine risk tolerance. Many security professionals have embraced this concept, and in fact, many would argue that this risk-based approach was always a part of the profession. There is truth to that; however, this merging has brought about a need for greater discipline in documenting risk practices. Solid risk management programs provide a formal process to understand, document and determine the organization's tolerance of, and decide on the appropriate mitigation strategy for, risk. An organizational risk assessment is the first step to truly understanding risk. A good assessment documents the company profile--its purpose, mission and objectives, industry risks and those particular to the company based on internal and external threat, and the risk tolerance of the organization. In doing so, risk should be categorized as regulatory, reputational and in terms of threat (criminal or otherwise), and these are generally industry-specific. So, a bank, for instance, would have concerns in all three of these areas, so that being secure in one does not mean being secure in all of them. Being solid in addressing their threat does not mean they are regulatory compliant, and conversely, an organization can maintain regulatory compliance but have a negative reputation with the public. All must be addressed.Therefore, the risk assessment should define controls that may be in place to reduce or mitigate the risk. It should also document the strategy for risk management in terms of elimination, acceptance, mitigation or transference. Within security, there are places where the strategy should be one of elimination. For instance, technology is employed that detects and seeks to eliminate a threat, a simple example of which is the elimination of all malware. In other instances, there could be a strategy of risk acceptance if the risk is deemed low or if the protection cost far outweighs the penalty. But why go to all this trouble if you just want to secure the environment? Well, the goal of a formal risk management program is to employ a governance framework to achieve a known and consistent state, one that can be measured, discussed and continuously improved in an organized manner over time. Additionally, a formal program provides an avenue to ensure corporate governance entities such as corporate risk committees or the board of directors has sufficient awareness of risk and what the program is doing to address it. One can then align the security program to manage agreed-upon risk and help prioritize security initiatives. The program, in essence, provides a form of corporate agreement on what the security professional should be working toward. And in that sense, it is actually liberating. In summary, the key to solid risk management is to understand your company's objectives, risk tolerance and risk profile, and then make risk-based decisions that meet the company's mission and objective. The most successful programs indeed combine these concepts and principles into the security program and operate as a risk management program. An organizational risk assessment is the first step to truly understanding risk
< Page 8 | Page 10 >