CIOReview
| | SEPTEMBER 20179CIOReviewWhile not exhaustive, the following rules will help your program stand up to the test of "excellence" for your organization. Know your risk: Knowing your risk re-quires a comprehensive organizational risk assessment that defines your business pro-file, your digital and information profile, analysis of industry threats, and analysis of external and internal threats to arrive at your individual risk profile. Address your third-party risk­services that are provided by third parties. Generate a risk register that denotes the inherent risks to your or-ganization, the mitigating factors (process, people and existing technology) and then the residual risk. Include potential and im-pact of risk realization to give a good basis for how much your company should care. Prioritize risk: Even with full execu-tive support and unlimited funds, every-thing can't be done at once. Prioritize what risk you are addressing through a process of determining what residual risk exists and the threat to your company. It is very important to understand this deci-sion is not one the CISO should make. The CISO should advise and provide context, but this is a company risk decision and must be made through the established risk management decision-making pro-cess. Because of the potential ramifica-tions, the board should be made aware of the risk register and which risks are being accepted, mediated, eliminated, or trans-ferred. In practical terms, the decision is generally which risks we are going to ad-dress first, not which ones we are going to worry about. This prioritization is critical to budgetary and resource requirements. Never make decisions about cyber risk remediation based on available spend, but fiscal constraints will always be a con-sideration in prioritization. Your program must be informed by the risk tolerance of the organization. Risk tolerance can be expressed in potential dollar loss but may be less tangible in terms of reputational or regulatory impact. Take action: Once priorities are set and resources are committed, take decisive and bold actions in addressing the risk, wheth-er simple solutions or more complex, multiyear initiatives like data protection and access management programs. Your program must run multiple work streams. To be effective, final results must address process, people, and technology. Technol-ogy shouldn't be selected or implemented until you have a solid process defined. If the process doesn't work on the "white board," don't waste time and money au-tomating it. Then when the solution is set, make sure you have addressed the people issue­skilled people that can maintain and provide continuous improvement. Monitor changes in threat land-scape: It's vital that once a program reaches "excellence" you monitor for changes that could cause it to not be good enough, including changes in business process, technology, staffing protocol (going to contract or outsource models), vendors, or the criminal, hacktivist or state-sponsored threat. Investment in a good threat intelligence program will pay dividends. Part of being good enough is having systemic controls that are flexible to respond to changes in threats without having to rebuild your security posture. Excellence is less a state than an ongoing journey
< Page 8 | Page 10 >