Since the advent of the internet, businesses of all sorts, sizes, and locations have tried to explore new and larger markets to capture. It has provided them with new opportunities for which they work competently, efficiently, and effectively with computerized tools. In this day and age, every acknowledgeable business that uses the internet must create a cultural security strategy to gain consumer trust, goodwill, and confidence. In such a susceptible business environment, cyber security should be an active part of any business plan to ensure its safety.
The first question we have to ask ourselves is – “how secure is our organization?” To answer this question, we need to first understand the ‘lay of the land’ by doing a comprehensive assessment of its operating environment and its specific business needs. As part of the assessment, we should look at what we have, where it is, how it is currently being secured, what kind of safeguards we have in-place, whether we have continuous monitoring and detection processes, or if we have proper response planning and disaster recovery capabilities in place. In addition, sensitive data needs to be located and classified along with assets including hardware, software, IoT devices, and cloud resources. We should view information security as a risk mitigation activity and a holistic assessment of threats and vulnerabilities that help an organization appropriately prioritize and mitigate its risks. The assessment that we plan to conduct should give us a very good idea of the strengths and weaknesses of the security program and the security culture of the organization.
We also need to understand how our industry and business operated. Without knowing this, we would not be able to envision the problems that we might encounter and how to solve them. For example, in one of my previous organization, I ended up spending some time on the company’s manufacturing floor and in the service centers. This helped me understand our operations and obtain the needed business acumen for this task. I strongly feel that the IT/Security leader must be a technical expert with the business acumen to have successful conversations with boards and executive teams. This is one area that I had to improve over time, as my background has been mainly in the technical side. We can lose our executive audience and confuse them if we are using too many technical jargons in our speech. If our top management does not understand us, they will be hesitant to act on our recommendations. Boards and executives care about business; and cyber risks can threaten the two major goals of any business, which are profits and highly important business operations. Cybersecurity is an important business function, so it needs to be presented to the top management like all other important business functions in the company.
As a next step, a very clear conversation has to occur with the organization’s senior management and/or the Board regarding the acceptable level of risk for the data and information that needs to be protected. It is important to identify who has risk authority for assuming and signing off on cyber risk. The Board and the CEO should ultimately hold delegation authority for risk decisions. The CISO or CIO should also be able to make security risk decisions in the same way that a CFO has the authority to make financial risk decisions that are enterprise-wide. Business unit leaders should have a degree or security risk authority for some risk decisions that are largely contained within their business units. I highly recommend identifying potential risk-decision scenarios and performing hypothetical discussions on what would happen.
An already defined tolerance for risk is important for your organization. The National Institute of Standards and Technology’s (NIST) Special Publication 800-39 defines risk tolerance as “the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame.” Risk tolerance is the risk above the appetite that might be acceptable for an organization. While it may seem like setting cyber-risk appetite may be just technical, there is more to it than that. There are conversations that need to include non-technical functions. Cyber-risk appetite ties different types of risks including cyber risk, enterprise risk, and operational risk.
Businesses are driven by different factors. Some are driven by customer security requirements while others are delivered by compliance. Then there are also those organizations that are driven by their IT system’s security risks.
An organization’s security pressure posture is also vital in determining the risk tolerance level. Security pressure posture is something that represents the external drivers and forces that compel businesses to implement a strong security program. Organizations with a moderate to high security pressure posture will have several factors driving their need for a strong information security program. They are usually attractive to cyber attackers for financial reasons (e.g., valuable data or other ways to make money from a compromise) while also feeling various levels of pressure to have a strong security program from customers, the business, and/or regulators.
There is no generally accepted security risk assumption model template. So, my recommendation is going with the risk tolerance levels of low, medium, and high that can be applied to an organization and after having a workshop with the leadership team, we came up with our risk tolerance level that helped with the development of our security strategy and determining funding/resource needs. A formal process for security risk assumption that is both documented and approved by the top management is an important first step in developing a security strategy. The goal is to develop and implement a security program that is not only effective, but also sustainable.
To ensure alignment with the business, work with other department leaders within the organization and your own team to ensure that the security program’s goals are tied back to the overall IT and business-level goals. Through these cascading series of business, IT, and security goals, it became easier to explain how a security initiative can help businesses achieve their goals. I highly recommend having multiple sessions where open discussions on planned business and IT initiatives are held.
- NIST SP 800-39: The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.
If you found this blog useful, please share with others: