Resources To Meet The Security Challenges
For security professionals, or any management professional for that matter, the key to managing limited resources is to focus on the key risks. Sound governance, risk and compliance practices are an effective way to manage limited information security resources - they may even lead to more resources!
The need for improved risk management focus, among other things, is changing the CISO role. The CISO role is transitioning beyond primarily a technical focus to include skill-sets related to business strategy integration and risk management principles. With these skills, CISO's are being asked to facilitate business solutions balancing the needs of securing information with the business needs for information access and convenience to achieve business objectives. That's not to say that IT and Information Security professionals have not been practicing risk management. Rather, I think the challenge has been translating those technology and security risks into understandable business impacts that can drive the resource discussion and enable the CISO to play a more integrated role with corporate and line of business executives in strategic business decisions. To facilitate resource discussions, CISO's can rely on several fundamental elements.
First, for those organizations practicing ERM (enterprise risk management), use the existing risk framework to develop or refine IT risk assessment processes – are these processes using the same scoring and rating methodologies as the rest of the organization? Same taxonomy? Basically, use the risk language of the organization to convey IT or security risks in terms of business impact without too much "techno-speak." Focus is on identifying critical security gaps, mitigation activities and resource needs to address gaps. This enables all involved to determine which risks to accept, avoid or resolve, etc.
Second, develop a corporate risk profile for enterprise security. This profile would clearly outline for directors, executive management, regulators, etc. what the organization looks like, the playing-field if you will, as it relates to the organization's use of information assets, where located, access methods, etc. along with the key risks, available resources and top security initiatives to support the risk profile. Be sure to include reference to use of third-party technology providers supporting the organization and whether possession of customer data.
Third, enterprise-level security metrics (key performance or risk indicators) are crucial to the resource discussion. There are any number of metrics available for IT and information security. The main focus is to reduce to a handful of enterprise level metrics that give clear indication as to the effectiveness and efficiency of the security program. For example, comparing your information security budget as a percentage of the IT budget with industry benchmarks and/or peer data and further referencing key metrics around vulnerability management can certainly focus attention on the appropriate resources needed to address risks.
Finally, determine the maturity level of your security organization. If not following one of the security frameworks (ISO, COBIT, etc.) and even the most fundamental of "blocking & tackling" activities associated with effective security management are a challenge, then it may not be a good use of time or effort pursuing complex initiatives requiring significant investment or resource capabilities.
Today's Threat Landscape Requires Adaptive Security
Staying Abreast of Application Development and Delivery
How to Ensure Information Security when Outsourcing Your Projects
This Is How Your Computer Gets Hacked!
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power