The information security function is an interesting component of a business. Unlike traditional business functions that are relatively static, information security is evolving practically every day. It’s a remarkably complex field given all the elements involved — from technical systems and business workflows to documentation and people. These complexities, combined with the reality that security is often more of a reactive function of the business, mean you have quite the multi-faceted challenge on your hands.
The first step to making information security risk management more manageable is to take stock of what you have to secure and what steps need to be taken to secure it. Reality has taught us that we cannot secure the things that we don’t acknowledge. However, it’s safe to say that many (probably most) business executives and IT staff alike don’t know what they don’t know as well as the security risks facing their environments.
Common Pitfalls in Security Risk Management
In my work performing independent security assessments, I often come across IT and security staff, software developers and others involved with security who struggle to manage things such as:
- Where sensitive information is stored on the network
- Which information security standards and policies are expected of everyone
- What’s taking place on the network at any given time
- How existing technologies are helping, or hindering, risk management efforts
- How network hosts, operating systems, third-party software and internally developed applications are currently at risk
On top of this, business functions like HR are often disconnected from security functions involving policies and training. Public relations staff often have no part in incident response. It’s not uncommon to see disconnected legal counsel or, even worse, lawyers making their own decisions about security without involving security team members. All of this creates or facilitates unnecessary security risks. These challenges are more common than you’d think, existing even in large, mature businesses that have dedicated security staff.
Getting to Where you Need to Be
If you feel like your organization could use a security overhaul or needs help understanding how your business is at risk, what can you do? It all starts with an in-depth risk assessment.
Technically, even before such an assessment is performed, you’ll need management buy-in. If you don’t have that, you’re not going to get the budget and political backing necessary to perform the assessment — much less do what’s necessary to close the identified gaps.
Assuming you have the proper security buy-in, the way to shore up your information security program is by assessing the following three situations:
- What’s on your network, what you’re responsible for protecting and how it must be protected. Interestingly, many people don’t know the answers to these questions. They may lack visibility or critical asset inventory, not understand regulations such as PCI DSS, HIPAA and GDPR, or fail to grasp the security best practices they should be following. Whatever the reason, not knowing the answers to these questions is the cause of many common security challenges.
- Which threats and vulnerabilities exist. Just because you know your environment doesn’t mean that you understand how your systems and information are at risk. The only reasonable way to address the security issues that are both urgent and important is to perform an in-depth security assessment that looks at all aspects of IT operations — both technical and administrative.
- What steps are necessary to mitigate the most important threats. I’ve witnessed many security improvement projects that ended as soon as they began. From the moment the final security assessment report is delivered, many people (both technical staff and executive management) decide that things are good enough or that the budget is insufficient to see recommendations through to mitigation. But the reality is, the majority of security risks are basic items that can be easily resolved without spending a ton of money. Solutions typically involve better system maintenance, application code updates and enhanced user training.
If you take these steps and vow to seek out your security weaknesses on a periodic and consistent basis, security can become more like a static business function. Imagine a security program strong enough that it just becomes business as usual. It’s possible if you decide to make it so. The important part is to acknowledge that there may be risks you’re not aware of, and to do what’s necessary to discover what those risks are and take steps to mitigate them.