CISOs and security execs at some of the world's most well-known companies have provided recommendations to help enhance organizations' security programs.
On Tuesday, the Security for Business Innovation Council (SBIC) released a report (PDF) detailing the suggestions. The council consists of 19 security leaders, including Coca-Cola CISO Renee Guttmann, FedEx CISO Denise Wood, JPMorgan Chase Chief Information Risk Officer Anish Bhimani and EMC's Vice President and CSO Dave Martin.
The execs made five central recommendations in the 16-page report; one being that organizations should shift focus from technical assets, like servers and applications, to include critical business processes that involved the “bigger picture perspective” of how information is used to conduct day-to-day operations, the report said.
In addition, the council advised enterprises to define detailed risk scenarios and estimate the business impact of security incidents.
Other recommendations were to develop “informed data collection methods,” as well as a strategy for collecting relevant data for evidence-based controls assurance.
The council also challenged organizations to implement risk assessment processes that involve shifting to more automated tools for “tracking information risks as they are identified, evaluated, accepted, or remediated” to accelerate decision-making.
Sam Curry, chief strategy officer and chief technologist at RSA, EMC's security division, told SCMagazine.com that, in order for IT leaders to move security programs forward, they must hold a strong interest in, not only IT operations, but in their company culture itself.
“This means that the security department needs to learn that they aren't just IT members that work for an insurance company [for instance],” Curry said. “They need to be able to show that they are just as responsible at managing themselves and that they speak the language of the company.”
Curry also emphasized a reoccurring theme throughout the report, which advices organizations to use success-based risk remediation, which takes into consideration the risks taken on by companies weighed against the “reward,” or business gains allowed by lowered security controls.
The chief technologist also added that many companies focus on buying security tools, as they begin to build out their security programs, bringing to light the question of quality over quantity.
“The key, when you start managing risk, is that the business becomes more mature and you start investing in tools that are more intelligent,” he said.