Moving from Compliance to Risk-Based Security – Part 2

Brian Musthaler
By | June 18, 2013

Posted in: Network Security Trends

In my previous post, Moving from Compliance to Risk-Based Security - Part 1, I mentioned that I would share my discussions with two security executives who feel strongly about this topic. Both of them participated in the Wisegate CSO peer discussion documented in the report Moving From Compliance to Risk-Based Security. These experts clearly confirm the need to embrace risk management based security.

In this post Tim McCreight, the CISO of the province of Alberta, Canada, shares his insights on his organization’s move to a risk-based security program.

We began our conversation with the move from “security by compliance” to “security by risk.” I contend that many organizations are so focused on meeting the letter of regulations that they lose sight of the risks that the individual control mandates are intended to mitigate – what I call “insecure compliance.”

McCreight:  Unfortunately many organizations are checking off boxes on a compliance spreadsheet and assuming that they are secure. This check box approach leads to a major failing of examining “all” the technical and business risks associated with things that range from configuration of encryption to BYOD.

My organization has expanded the approach to assessing IT risks beyond tactical IT issues to include all business functions. This gives us a holistic view of our overall business and IT risk posture.

For example, on any project we begin by first asking business questions of the business leaders. We do this to understand what the leader believes the risks are associated with their request. Many times we see that a business leader’s perception of organizational and IT risks are nowhere near reality.

This starts a transformational education process that creates a common understanding of the information and process risks that are under their control. At the end of the day, as the CISO I need their insight as to what is important to the organization so that we can allocate our limited resources in the best way to protect those items that matter the most and pose the greatest risk.

Musthaler:  How are your business leaders reacting to your business risk-based approach?

McCreight:  It took a while for our leaders to realize that we are serious about risks associated with business processes. Now they understand the purpose behind the questions we ask of them.

BYOD was one of the first areas we applied an IT risk focus on business decisions. We asked, “What’s the purpose of your team using iPads? Are they in your day-to-day operations? What information do you use on these devices? Is this technology really the right fit?”

We left it open to them to answer the questions. As expected, the initial response was “Why are you asking us this?  All we want to do is increase productivity.” From here we began the education process.

Business leaders now anticipate our questions on business and IT risks and engage us early on. For example, with cloud implementations there is a heightened awareness around having sensitive information in the cloud. They may not know what controls are needed. But, they engage us to perform privacy impact assessments to have a better understanding of the risks, the controls needed, and the overall costs. All of this helps us as a team make better risk-based decisions.

Musthaler:  It appears that you have senior management endorsement. Unfortunately many organizations struggle with communicating IT risk at the C-level. How did you get management support?

McCreight:  Yes, many organizations face the “communications gap” you allude to. To that end, our approach truly benefits the entire organization. We look at the relationship between IT and businesses risks holistically and recognize every action has a risk, and that IT risks are not the only ones that must be addressed. Most importantly we present the issues in business context that our leaders understand. As a result, we now have senior management buy-in.

Musthaler:  Can you talk about the risk framework and technology you are using?

McCreight:  As we both know, risk management technology is not a panacea. It is a tool to gather information, document risks, and put structure behind the questions asked regarding risk.

One of the most important things this technology gives us is a view into the interdependencies within our IT operations and business units. With these tools, we easily catalog, measure, and communicate our risk posture.

As far as frameworks, risk management solutions have a series of authoritative sources and structures that can be adapted such as ISO, COBIT and virtually all the authoritative risk sources available on the market. As a result, our risk questions are geared to these frameworks. With these tools we can also apply criticality to assets and the areas that we are trying to measure so that we have a clear picture of our risk posture.

Musthaler:  If you could, what do’s and don’ts do you have for the readers and your peers?

McCreight:  Most importantly, know your business. What do I mean by this? I believe many CSOs see their roles as being a security officer only. In reality they are running a business unit as well and being accountable for the security over all of the business. To effectively manage business risk, you must know every aspect of the business.

Two, get to know your internal peers. You need both critical input and support from these leaders as you work to transform your organization to a risk-based approach to security.

Third, get to know senior management. You need both their business insights and their support.

Lastly, communication and education are critical for everyone from the C-suite to the line managers.

If you do not or cannot do these things, your move to an organizational risk view of security will be met with resistance and may ultimately fail.

You May Also Be Interested In: