Eight-Step Program
Some companies wouldn't dream of deploying software until version 2.0; let the early adopters work out the kinks. In much the same way, the risk management movement has been gaining momentum over the past several years. Forward-thinking organizations kept the pressure on vendors and standards bodies to provide the tools and frameworks to make a comprehensive risk-oriented approach possible; now, you can reap the benefits.
As we discuss in our full report, there are plenty of frameworks, tools, and best practices in place. To get started:
>> Take a small step by putting together a registry and controls library for tracking the risks your organization faces--unpatched systems, ineffective processes--and documenting related data, such as who owns the asset and expected mitigation dates. At this point, a spreadsheet is all you need.
>> Develop and maintain a services inventory. What are the IT services on which the business runs? Think about your e-commerce platform, customer support systems, cloud-based storage. How important are they? What are key characteristics--is there sensitive data involved? What about the servers that comprise the system--are they physical or virtual, and where are they? List all the assets that make up each service.
>> Identify allies. Present your vision to senior executives in as many business units as possible, from sales to customer service, HR, and finance. We often find IT is surprised at the warm reception they get.
>> Establish a vision: What will enable you to successfully transition to a risk-management- and analysis-based approach? Identify both tactical and strategic objectives.
Consider this timeline: Define the guiding framework in 60 days, establish values for all critical and sensitive assets in six months, have an established risk analysis procedure in place in nine months, meet framework compliance in 24 months.
>> Select a guiding risk management framework. These frameworks, which we discuss in the story on p. 38 generally have the same core components, so don't get bogged down obsessing over your choice.
>> Reboot your relationships with management, peers, and business colleagues. What must you as a security professional do differently to make sure everyone is working toward the same goal--managing risk--rather than being reactive, jumping from exploit to exploit? How can you convey information so that everyone understands the new vision?
>> Identify critical areas of risk that have no owner or have consistently caused the business problems, and propose a plan for addressing them. First, tackle problems that are within your current sphere of influence or responsibility and cause the business particular pain and angst. Separate quick projects from long-haul efforts. Apply easy fixes, let people know how they'll save money and/or make the company safer or more competitive, then use the resulting goodwill to hammer away at bigger stuff.
>> Tailor your pitches based on what keeps people awake at night. The security team worries about military-grade hackers. Executives worry about being held personally liable, if only in the court of public opinion. Compliance officers see the regulatory climate shifting, and the CFO has shareholders asking for more transparency. All of these problems can be addressed with a comprehensive risk-based program.
Erik Bataller is a senior security consultant with Chicago-based risk management consultancy Neohapsis.
