• Know Your Threats -- Identify and prioritize the threats that pertain to your day-to-day business operations. All threat vectors are not created equal. For example, viruses and worms may be more frequent, however, you may have already mitigated their impact. Denial-of-service and remote control attacks, on the other hand, may present serious challenges to your operations.
• Determine your vulnerabilities -- Arrange for a trusted and qualified third-party to do a broad-based security vulnerability assessment (SVA). Such an assessment should include specific sample populations, like areas of your IT, business infrastructure and operations. Be sure to use a holistic approach that examines the root causes and take corrective actions. Then, break down your recommendations for remediation into people, policy, process and technology.
• Avoid techno-babble -- Keep in mind that business and IT managers will react better if you govern your approach with the basic tenets of business risk management, not just IT security terminology, which all too often changes into techno-babble. This is not the business language with which upper-level business executives are comfortable. Talking their talk will get their interest and support, helping you move beyond a set of tactical, technical IT security fixes.
• Whose plan is it? -- To be successful in this process, you must create and market/sell an appropriate IT security strategy tailored to your company's risk profile requirements and business operational needs. It is often easier to convene an appropriate IT and business management advisory council to help you in this strategic planning process if you present a business risk management-based charter, goals, objectives, etc. These should be couched in business terms, be measurable, and help meet executives' business operational responsibilities.
It is also important to convince a broad base of IT and business managers to own the company's IT security strategy. Otherwise it will be nothing more than a random and disconnected set of IT security programs and projects which may offer some level of protection, detection and risk avoidance, but with no real, measurable risk reduction targets that IT and business executives understand. The ultimate goal is to get business executives to buy into and own the company's overall security strategy.
30 seconds on...
A few steps ahead
Risk management, according to Richard Starnes, president,
ISSA, is the process that allows managers to balance operational and economic costs of protective measures with a resulting gain in mission effectiveness.
Avoiding the void
A threat, he says, is anything likely to cause damage to an information system. For the threat to be viable, there must be an exposure to that threat. A countermeasure is anything that mitigates potential risk.
Educate before it's too late
A recent poll of 1,700 CIOs, CSOs and security directors by nCircle found that 60 percent of respondents were unable to determine whether their network security risk was decreasing or increasing over time.
Making a case
According to a recent report on website Wall Street & Technology, CIOs can expect to have an easier time making the business case for security initiatives as fear of accountability will continue to run high in 2006.