Resources To Meet The Security Challenges

By Jeff Theiler, SVP, CISO, Hancock Bank

Jeff Theiler, SVP, CISO, Hancock Bank

For security professionals, or any management professional for that matter, the key to managing limited resources is to focus on the key risks. Sound governance, risk and compliance practices are an effective way to manage limited information security resources - they may even lead to more resources!

The need for improved risk management focus, among other things, is changing the CISO role. The CISO role is transitioning beyond primarily a technical focus to include skill-sets related to business strategy integration and risk management principles. With these skills, CISO's are being asked to facilitate business solutions balancing the needs of securing information with the business needs for information access and convenience to achieve business objectives. That's not to say that IT and Information Security professionals have not been practicing risk management. Rather, I think the challenge has been translating those technology and security risks into understandable business impacts that can drive the resource discussion and enable the CISO to play a more integrated role with corporate and line of business executives in strategic business decisions. To facilitate resource discussions, CISO's can rely on several fundamental elements.

First, for those organizations practicing ERM (enterprise risk management), use the existing risk framework to develop or refine IT risk assessment processes – are these processes using the same scoring and rating methodologies as the rest of the organization? Same taxonomy? Basically, use the risk language of the organization to convey IT or security risks in terms of business impact without too much "techno-speak." Focus is on identifying critical security gaps, mitigation activities and resource needs to address gaps. This enables all involved to determine which risks to accept, avoid or resolve, etc.

Second, develop a corporate risk profile for enterprise security. This profile would clearly outline for directors, executive management, regulators, etc. what the organization looks like, the playing-field if you will, as it relates to the organization's use of information assets, where located, access methods, etc. along with the key risks, available resources and top security initiatives to support the risk profile. Be sure to include reference to use of third-party technology providers supporting the organization and whether possession of customer data.

Third, enterprise-level security metrics (key performance or risk indicators) are crucial to the resource discussion. There are any number of metrics available for IT and information security. The main focus is to reduce to a handful of enterprise level metrics that give clear indication as to the effectiveness and efficiency of the security program. For example, comparing your information security budget as a percentage of the IT budget with industry benchmarks and/or peer data and further referencing key metrics around vulnerability management can certainly focus attention on the appropriate resources needed to address risks.

Finally, determine the maturity level of your security organization. If not following one of the security frameworks (ISO, COBIT, etc.) and even the most fundamental of "blocking & tackling" activities associated with effective security management are a challenge, then it may not be a good use of time or effort pursuing complex initiatives requiring significant investment or resource capabilities.

Weekly Brief

Read Also

Vulnerability Management in Today's Enterprise Environment

Vulnerability Management in Today's Enterprise Environment

Darren Death, Vice President of Information Security, Chief Information Security Officer, ASRC Federal
Making Your Cybersecurity Program a Success

Making Your Cybersecurity Program a Success

Bob Turner, Higher Education CISO, University of Wisconsin-Madison
Feeling Vulnerable? A Primer on Building a Vulnerability-Based Table Top Exercise

Feeling Vulnerable? A Primer on Building a Vulnerability-Based...

Kristy Westphal, CSIRT, Vice President, Union Bank
Too Much Technology? Simplicity is Key in Vulnerability Management

Too Much Technology? Simplicity is Key in Vulnerability Management

Earl C. Duby, Jr., Chief Information Security Officer, Lear Corporation
Addressing Cyber Attacks

Addressing Cyber Attacks

Mark Connelly, CISO, Boston Consulting Group
BYOD is the New WiFi: We Must Learn from History to Enable Mobile Data Security

BYOD is the New WiFi: We Must Learn from History to Enable Mobile...

Dan Lohrmann, Chief Strategist & CSO, Security Mentor