Moving from Compliance to Risk-Based Security, Part 1

Brian Musthaler
By | June 12, 2013

Posted in: Network Security Trends

After 10 years of managing an IT audit function for an international energy company, I had the opportunity to head up their IT Strategy group that was charged with creating Organizational IT Security and Risk profiles and plans.

The charge of this function was to annually evaluate organization-wide internal and external risk as it relates to IT, and to communicate this information back to the CISO, CIO and CFO. To carry out the evaluation of organizational IT risk required not just working with IT personnel, but also business personnel all the way up the C-level business unit leaders.

The information gleaned from these annual assessments drove plans to improve and bolster our overall security posture based upon where we were at a point in time and where we anticipated being in the next several years. Ultimately this was a dynamic view of risk versus a point in time tactical view.

This was 20 years ago. (My, how time flies!) One could say that what my team managed then was a pre-cursor to today’s move to Risk-Based Security.  It seems that history really does repeats itself.

If companies were really focused on risk-driven security 20 years ago, what changed? One word… “Compliance.”

I contend, as do others in the controls and risk community, that many organizations changed their focus from a holistic view of security and controls to that of meeting the requirements of compliance and the risks associated with failing a compliance audit. Some call this “the check box” approach to controls and risk management. Until recently, the primary risk being focused on by many at the C-level was predominately maintaining IT security that assured compliance with one or more regulations or mandates, not necessarily changing the internal and external risk posture.

Anecdotally, this shift may have been the cause of some of the “PCI Certified” breaches that were in the headlines a few years back. I like to call this “insecure compliance.”

Here organizations are so focused on meeting the letter of the regulations and mandates that they lose sight of the risks that the individual controls in the mandates are intended to mitigate.

For example PCI, HIPAA, FISMA and a few other compliance mandates require that all sensitive and personally identifiable information (PII) be encrypted both at rest and in-motion. Hypothetically, in order to meet the “letter” of the mandate a company can implement full disk encryption, but unwisely have the keys stored on the same disk; and implement SSL encryption, but, have no TLS negotiation or man-in-the-middle monitoring. These are examples of “insecure compliance.”

Conversely, organizations that are truly focused on identifying risk and mitigating it to the fullest extent and not just marking a “check list” of controls for compliance sake would have determined that they must have additional controls in place. In the above example they would have disk-independent key management and force SSL TLS negotiation and monitor for man-in-the-middle threats to provide better than reasonable assurance that their data is protected both at rest and in-motion.

To that end, recently Wisegate released its Moving From Compliance to Risk-Based Security report that is based on Wisegate CSO peer discussions across industries that confirms the need to embrace risk management based security.

The report discusses how IT organizations can increase their company’s security focus by both improving key metrics and using risk information to develop better security practices. Most importantly, the participants offer facts and insights for senior IT security professionals who must now move beyond a compliance “check box” mentality and adopt strategic focused security practices.

While no two risk programs are identical, Wisegate members identified and share key takeaways for other IT security professionals considering risk management strategies.

These include:

  • Compliance becomes just one factor in the risk profile. Even in a risk based program, compliance doesn’t go away entirely.

  • Tolerance for risk changes over time. The organization's risk tolerance is dynamic and fluid. The assessment plan and risk profile indicates the organization's risk acceptance level at that current point in time, but it is expected to change.

  • Making risk management work takes different approaches for different areas. Risk management can be broken down into three distinct areas, each with a unique approach: strategic, tactical, and operational.

Based upon the discussions I had with several of the Wisegate CSOs and my experiences in rolling out a risk based security strategic plan, I agree 100% with the Wisegate CSOs’ observations and the report’s conclusion … “that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort. A risk based approach doesn't eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that collectively everyone can agree upon the right balance. Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.”

As a former auditor and risk management professional, I wanted to get better insight from the professionals that participated in the Wisegate discussion. I talked with Martin Zinaich, CSO of the City of Tampa Florida and Tim McCreight, the CSO of the Providence of Alberta Canada. In my upcoming posts, I will share their views on what they see within their organizations as well as what they see taking place within their peer organizations.

To read this and other Wisegate reports, you can visit

Click here for Part 2.

You May Also Be Interested In: