For many organizations, Information Risk Management and Security (IRMS) is rapidly advancing in both concept and practice. At such a fast pace, it’s not too surprising that even the most experienced IT Risk and Security professionals will make mistakes.
Recently, John Pironti, CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP and President of IP Architects, LLC co-authored a useful executive brief with Tripwire’s Chief Technology Officer, Dwayne Melancon. Both John and Dwayne have spent many years not only practicing and learning in the industry, but talking with CISOs and other IT security and risk professionals out there on this topic. In this paper, they discuss the five most common mistakes to avoid in managing risk and security.
The top 5 mistakes to avoid:
- FOCUS ON SECURING TECHNOLOGY INSTEAD OF BUSINESS PROCESSES AND DATA
- DEVELOP METRICS AND MEASURES WITHOUT THRESHOLDS AND ACTIONS
- USE THE WORD “RISK” WHEN YOU ACTUALLY MEAN “THREAT” OR “VULNERABILITY”
- TRUST, BUT FAIL TO VERIFY
- FEAR THE AUDITOR MORE THAN THE ATTACKER
No matter how big, small or many mistakes are made, there is potential for long-lasting negative impact to your business. When we understand what those common mistakes are and learn from them, we will be more successful with IRMS. That’s the goal here. If this interests you, you can read more about the topic in the full 4-page executive brief.
All the best,
2012 Ponemon Report: The State of Risk-based Security Management
Risk Management: Are you Walking the Risk Talk?
Risk Management: What Could Happen, Why, and When?