Our experience working with a range of clients shows this transition is coming, ready or not. The drivers to adopt a risk-oriented strategy almost always involve a combination of six universal complaints:
>> Security's status and legitimacy constantly fluctuate. Big, scary events, like the attack on Google or the WikiLeaks data dumps, bring attention to the need for security. But then, adding restrictions to prevent such events results in grumbling and attempts to bypass controls. We need some equilibrium.
>> Security executives struggle to convey information effectively to their business counterparts and the board. Headline-making events like the Heartland breach clearly show what security flaws can do to the brand, but you can't depend on cautionary tales to get your message across.
>> Security executives may also struggle to articulate the business value of their programs; see items 1 and 2. It's not always easy to connect the dots on how hardening an operating system makes money for the company. OK, it's never easy.
>> Rank-and-file security teams working to bring together various silos, from compliance to audit, often end up in the middle of unproductive turf wars.
>> Security projects go haywire-- maybe the program faces stiff organizational resistance or costs exceed expectations, and then, adding insult to injury, those expensive controls are only moderately effective.
>> There's constant and time-consuming grappling among security, compliance, and operational teams for power and budget. In particular, we often see information security and compliance positioned in a manner that virtually guarantees conflicts of interest, and as physical and logical security continue to merge--for example, as badges and computer credentials are linked--there are bound to be questions of who's responsible for what.
We've all faced riffs on these problems for years. A risk-oriented approach will help in every area.
If you're ready for a change, adjust your mind-set in two fundamental ways. First, expand your scope to include at least information security and technology risk, operational risk, and compliance as you work to transition away from tactical security and point projects. Second, think about the ongoing role of the security team. A holistic, risk-based approach is one where security efforts are targeted, relevant, and adaptable enough to be effective, no matter what direction the business moves.
It's as much an opportunity for alignment as it is a call for change.
Get Your Zen On
There are plenty of circular arguments about risk that make us want to stick our heads in the sand. Elaborate frameworks and expensive technologies will fall short or fail outright, and pundits will keep spouting what will often feel like (and, in fact, is) bunk. But there's a grain of truth in all this expansionism. In our survey, 40% of respondents say their companies will extend their risk programs to be more comprehensive. They have to, because the tenets of risk management, which we outline in the story on p. 36, are deceptively simple. When you really wrap your brain around what it takes to assign asset values, threats, controls, policies, procedures, responsibilities, and workflows, and then manage them across organizational, jurisdictional, regulatory, and even national boundaries, it becomes clear that we need all the inclusiveness we can get. But similar to the evolution from the firewall jockey who ruled 10 years ago to the information security manager and professional CISO of today, risk management is ready to become an over- riding model.
And that can't happen until someone takes charge.