Risk Management: Aligning Information Security Activities with the Enterprise

Image

In any organisation, even the most uncomplicated business decisions have their associated risks. Such risks involve people, processes and technology, and they must be systematically identified and addressed on time and on budget. Risk management, as we know, is a process through which the uncertainties around delivering an objective are managed. Information Security Risk Management (ISRM) and information assurance play a huge role in determining the risks to be taken into account when assigning priorities. ISRM is a complementary process and part of a comprehensive Enterprise Risk Management (ERM) program. The mandate for ISRM is very specific: Data, Data System and Data Infrastructure. Despite many calls for ISRM to be aligned with business goals and organisational risk profiles and appetites, there is some resistance. This is because ISRM activities in many organisations have focused excessively on the implementation of controls with less consideration of the importance of business goals. The business should be the sole engine that drives the information security (IS) risk treatment process. One of the major causes of such a shortcoming is the lack of understanding of organisational objectives and business units by IS professionals on the one hand, and the absence of adequate security awareness in senior executives on the other. Information security managers must only act in the interest of the business and become dynamically involved, with their efforts strongly aligned with the objectives of the business. A business-aligned attitude assists ISRM in supporting business objectives and perceives the process as an enabler rather than an obstacle.

What should be done?

The Chief Information Security Officer (CISO) is in a unique position to guide the alignment between ISRM and ERM. The CISO is the person accountable for the security of all forms of information; therefore, enterprises must ensure that they satisfy the following:

1. The CISO must function independently from the IT department and report only to the CEO or CIO, provided the CIO is a member of the board. This would safeguard better alignment of security with business objectives. The business-aligned approach ensures a successful risk-mitigation strategy. Risk owns by business and treatment of risk depends on business decisions – this is the key to success. The CISO carefully prepares the security methodology based on the business plan and the performance of resources and services with clear articulated measures that are aligned with core business strategy and priorities.

2. An adequate security policy that is fully aligned with and adjusted to the risk appetite framework (RAF) of the enterprise, where strategic business objectives are carefully considered, must be adopted. The information security effort must reduce the enterprise operating risk through a healthy and comprehensive information security policy. The purpose of such a policy is to support the organisation along the bumpy road of dealing with business risks. Organisations increasingly face various types of threats and, consequently, responding to risks requires a treatment based only upon the business risk appetite and stakeholders’ needs.

3. The CISO should provide significant added value to business units through the use of security information, intelligence and capabilities where there is a top-down impact and positive contributions are acquired. Enterprises seek cost-benefit values for internal operations. Security functions should be able to deliver such requirements. The board should understand that with security investment, there is not only a ROI but value added to the business in return, which can be quantified (ROISI) and assessed qualitatively (reputational integrity).

4. Because communication strategy is one of the key elements in a successful alignment of risk units/functions within an enterprise, an understanding of the core audience groups, culture, ethics and, most importantly, communication channels are required. It is essential that the senior management team (SMT) deliver key messages, including business goals and objectives, whilst an effective feedback channel is established. The nature of the communicated messages must be understood by people who have no technical knowledge. Effective communication enables organisations to address most internal conflicts that may arise between different business units dealing with different risks.

5. An adequate and effective security awareness program must be developed. However, the CISO should take the lead in advocating a situational approach to security awareness. This situational awareness demands agility and flexibility whilst recognising and identifying the threat landscape and nature of attack. This must be supplemented by an impact assessment and vulnerability analysis. Traditional training programs and conventional methods lack adequate agility to deal with ever-changing technological performance and development. Constant and uniform approaches to security awareness programs are required to develop responses appropriate to the constantly evolving security landscape.

In summary, responding to technology risk and constantly changing security threats requires close alignment between ISRM and ERM. This can be achieved if business alignment between these two is established in a GRC environment. Technology departments (IT) should adapt their monitoring and reporting activities to the nature of risks to the business. The risk measurements and controls should fulfill enterprise risk appetite. The CISO plays a major role in establishing the connection between IT and other functions of an enterprise. An adequate and effective communication and awareness strategy should be high on the agenda for a CISO. The CISO is in a position to ensure that technological risks are addressed in such a way that business value is added to the enterprise.  

Image

About the Author: Reza has been working in various IT positions in the last 10 years and currently working as an information Security Consultant, helping his clients to become more effective and efficient typically through the strategic of information systems, risk management and security governance. Previously, Reza was working for a number of business consultancy firms that specialise in a wide range of consultancy services, such as information and IT security, risk management, business continuity, security governance and strategy in the Middle East. Having significant experience of the commercial sector at different levels of organisational hierarchy in various parts of the globe whilst working with variety of cultures and work ethics, and at the same time educated at PhD level in information security enables Reza to have a good understanding of current security threats, risks and their impacts. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.