Do you know what keeps your CEO up at night? Chances are that it is similar to the things causing us, as information security professionals, to lose sleep. Do you worry about confidential information escaping from your network and getting into the hands of the competition? So do they.
If you are responsible for security on your network, you are going to be required to know exactly what is happening over the network at any given moment, and you will need to be able to produce records at any given time.
You are going to be called upon to explain what information is going where to more non-technical people – and you are going to have a short window to react with the appropriate response.
But using new ways to monitor the network and detect electronic risks at the content level, you can align your traditional security defenses to the real business risks facing your corporation.
These are the seven steps of effective risk management that I believe have helped me establish how to deal with risks that involve addressing a combination of technology and business drivers.
- Identify all perceived risks
This step is mostly a fact-gathering exercise. If you work in a publicly traded company, read the Management's Discussion and Analysis (MD&A) section of your company's annual report. Find out what your MD&A section says and use it to help you establish all the "perceived" risks that are top-of-mind with your executive management staff, auditors, compliance officers and legal.
Because you know best how these risks would play out over the IT infrastructure, this is the time to start educating others on how likely these risks might be. If your notion of the threats and capability to address them does not match this assessment, you should definitely move on to step two.
- Gather data on actual risks
It is now possible to use technology to gather information on risks down to the actual breach of a credit card, social security number or protected intellectual property in a design drawing. Some of the best weapons that should be included in your security arsenal are technologies that look beyond the firewall and zero in on electronic risks in real time. Instead of planning your security around "what-if" scenarios, you will then have the facts you need to determine a security strategy aligned to the actual business risks impacting your organization.
- Correlate data and look for trends
Once you see actual risks, you have a key piece of the puzzle that was previously missing – trend data. If you can see the information in its entirety, you begin to see the context of different risks. Are employees in need of training or is there real misconduct? Are there risks through inappropriate behavior which you can predict by monitoring the ways in which people communicate, for example, during certain times of the financial reporting period?
- Prioritize the severity of risks
Now that the risks have been substantiated and correlated, you have a better sense of how to prioritize the risks. Prioritize the top risks. Align budget and resources toward the business risks that are part of a compliance strategy. Understand how much it will cost to remediate versus doing nothing. Using a method of cost-benefit analysis you can easily see which risks should be highest priority – those that expose your company to the most damage. Make sure that the price tag to address the risk is not going to be more than the exposure or penalties themselves. And don't forget that the impact of some risks is not easy to quantify.
- Take action to remediate risk
Once you can see your risk and present it to the other critical business stakeholders, you can begin dialogues on how to remediate risks with a combination of technology, processes, policies and proper training. Because the risks you will need to remediate will intersect with various departments – such as compliance, human resources, risk management, legal, and potentially even more – a taskforce or a steering committee approach usually proves to be the most effective.
- Standardize risk reporting
Now you can standardize reporting that will allow you to communicate the risks (and risk exposures) to senior managers and auditors more effectively. Management will see the value in information security's role because it will be effectively mitigating risks and helping the executive staff react with legal response when necessary.
- Monitor risks and unusual trends
Continue to monitor and report on risks with a methodology, with process. Now that you understand risk "norms" you can focus on more interesting problems and bigger issues, spotting a threat and reacting to it before it becomes a real business problem. This is where risk management really begins to pay-off. The more intelligently you can spot an unusual trend, the faster you can stop an event that could become a chain reaction of negative publicity.
By following these seven steps to risk management, you can effectively monitor, analyze, and defend against the internal threats that are imminent in today's networks; assuaging your CEOs' fears – letting us all sleep better at night.
Lorne Boden is the senior systems administrator at Topspin Communications