Before I answer that question, I want to ask a few questions of my own. How often does the threat landscape change? How often do your business processes, data inputs, or IT systems change? Do you know all the business assets that are connected to your IT network? For instance, do you see new devices on the network almost every day? Do you have effective high-level internal controls such as a disaster recovery plan, data back-up strategy, business continuity plan, information security policies, an event logging and monitor strategy, and aneducated and trained staff?
Because change and a business mentality of continuous improvement are as inevitable as taxes and death, organizations need to continuously plan ahead with regards to the security and risk management processes they implement. CISO’s must keep pace with the rest of their organization, which includes meeting the demands of the business while staying in front of emerging threats and technologies. With attack surfaces continually growingand the task of securing information and remaining compliant becoming more complex, security and risk management strategies need to be flexible and agile.
A good information security professional is an effective risk manager. I believe that Information Security IS risk management for data, information and other technology assets.Some Information Security professionals will create an Information Security Risk Strategy, while others create a Risk-based Information Security Strategy. In my mind and for the purpose of this editorial, they are the same thing. And I think that every CISO must have one or the other to be an effective organizational leader.
The importance of developing an information security risk strategy is often overlooked. A risked-based security strategy serves as a blue print for establishing an information security culture and promotes security practices that can be adapted to meet future challenges. An effective information security strategy will assist the organization in achieving its short-term goals, as well as its long-term strategies. An effective risk management strategy will contribute towards ensuring resources IT resources (i.e.: people, time and money) are used more efficiently and effectively. And finally, an effective strategy will identify and treat risks before they become problems and distractions for the organization.
So, going back to the original question; When, and how often should I evaluate my Information Security Risk Strategy?
I should evaluate my risk strategy when my performance indicators or metrics indicate that I am no longercontributing to the success of the organization or effective in protecting and preserving the assets of the organization. When this occurs it generally means I am not effective in identifying risk, analyzing risk, measuring risk, treating risk and properly communicating the message to senior leadership. When an organization has a weak or non-existent security risk strategy, I typically hear things like, “I am not getting the funding to get my job done.”, or “I can’t seem to get time with my boss.”, or “It seems like the organization doesn’t care about information security.”, and my favorite “All I do all day is put out fires! I don’t have time to make plans and develop strategies!”. Of course, the caveat to using metrics to manage your strategy is to ensure your metrics and performance indicators truly support the organizations mission and goals, are meaning to senior leaders and are actionable.
I believe I should review my Information Security Risk Strategy daily.I should make sure the tasks and activities I have scheduled for the day willcontribute towards achieving the goals and objectives of my department and of my university. Much like a builder will review blue prints when arriving at a job site to ensure the activities planned for the day will advance the project, I should review my team’s activities to ensure they align to the information security strategy and support the goals and mission of my University.
To help me ensure I stay focused on my responsibilities to the university, I keep the following list on a whiteboard in my office as a daily reminder to stay focused on security, risk management and compliance:
1. Understand the University’s strategy, goals AND their risk appetite
2. Develop a Security/Risk strategy to support #1
3. Validate my understanding of the University’s strategy, goals AND their risk appetite
4. Identify risk metrics that alignorganizational goals to the Information Security Risk Strategy AND IMPLEMENT THEM!
5. Triple check that I understand the University’s strategy, goals AND their risk appetite
6. Implement your Risk-based Information Security Strategy – always checking that it remains aligned with #s 1, 3 & 5.