Who owns information security risk in your organization?
Jeff Brown, former technology risk officer, AIG
In today's digital economy, there's no doubt that security is a very real risk of doing business. But who actually owns security risk in your organization? All too often, the responsibility is left with the CISO and the security team. But fundamentally, security is a business risk that needs to be understood and owned by your business leaders. But how do we get these leaders to understand their role in risk ownership?
Security is fundamentally just one of several risks that needs to be considered in the course of doing business. If you're the only one being kept up at night worrying about security, then the ownership message probably isn't clear. Worse yet, efforts to protect your firm's most important digital assets may also be off course. In a world of ever-expanding threats, more and more security professionals are being asked to identify which threats really need to be addressed and which can be accepted as a part of doing business.
Taking a risk-based approach to security can help you better focus limited staff and budget and make sure you're protecting the most critical business assets. This approach varies from a “check the box” compliance program that scrambles to address every threat without having a deeper understanding of the actual risk to the business and the underlying business processes. In a risk-based program, compliance becomes just another factor in understanding your company's overall risk profile. But moving from a compliance-based program to a risk-based program is not without it's challenges. To get started on this path, there are some practical steps you can take.
Good risk management can influence stronger business decisions and leverage resources more efficiently by focusing efforts on the most important assets. Understanding business security risk involves looking at the problem through multiple lenses. There are business process risks, information risks, technology risks and disruption risks. No single role in the organization has the complete risk picture, which means that a risk-based approach must be collaborative. Security leaders must take on the role of a facilitator to help the business understand and manage their security risks. They must build and maintain relationships across the enterprise to get this discussion started.
You will also need to develop a stronger understanding of risk assessment and risk management concepts. If your company has an enterprise risk management or operational risk management department, work with these groups to understand what may already be in place. If not, there are a number of industry standard frameworks that can help, such as COBIT and NIST.
Getting the actual risk conversation started involves gathering key stakeholders including business leaders, the chief compliance officer, legal, privacy, internal audit, HR and the CIO. This group can work collaboratively to identify risks and decide how best to manage them. This group can also serve as a steering committee for the overall security program.
Finally, you will also need to build the capability to monitor risks proactively over time. An organization's risk tolerance will change as the business and threat landscape changes.
It is impossible and undesirable to apply every security control to every asset. Taking a risk-based approach will help focus your efforts and ensure that the most critical assets are getting the most attention. Then, maybe everyone can sleep a little easier at night.