Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.

Risk Management More Important Than Ever

It can be easy to deploy security technology and think you’ve mitigated risk to your business. But sadly, technology investment is no guarantee of protection against the latest threats.

Studies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents. According to the recent “2016 Cost of Data Breach Study” from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.

Managing risk can help to mitigate this cost. The shift to a risk management approach has been brewing for some time, according to the CISO Insights Study. Security leaders are realizing that simply checking the box to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.

Below are some more key takeaways on risk programs:

Compliance Is Just One Factor

Compliance doesn’t go away entirely, even in a risk-based program. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements. It’s a change in language, and the moment when everyone understands the difference is transformational for the entire organization.

Risk Tolerance Evolves Over Time

An assessment plan and risk profile is expected to change over time. It is also difficult for organizations to properly assess risk before encountering a problem. However, frequent conversations about what department heads and senior management are comfortable with promotes risk awareness across all lines of business.

Making Risk Management Work

Risk management breaks down into three distinct areas: strategic, tactical and operational. As organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.

Explore Risk Assessment Methodologies and Tools

Security teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one. Frameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs.

Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.

Figure 1: NIST Framework (Source: NIST)

Figure 2: Adopted Frameworks (Source: Wisegate IT)

Transform Your Security Program

IBM outlined 10 essential practices for a stronger security posture. These practices will be assessed based on a maturity level basis:

Figure 3: 10 Essential Practices (Source: IBM)

Aligning the above to a maturity model offers a prescriptive assessment of your company versus best practices.

Figure 4: Capability Maturing Model (Source: IBM)

Security services help clients optimize their security program with skills to address modern risks. Organizations can access the right skills, reduce complexity, gain access to global threat intelligence, build secure connected systems, and modernize existing security programs across their people, processes and technology with management consulting, managed services and systems integration.

At IBM, this service is built on six competencies:

  • Security Strategy, Risk and Compliance: Automating governance, risk and compliance programs;
  • Security Intelligence and Operations: Building and managing security operations and security fusion centers;
  • Cybersecurity Assessment and Response: Establishing robust security testing and incident management programs;
  • Identity and Access Management: Modernizing identity and access management for the cloud and mobile era;
  • Data and Application Security: Deploying robust critical data protection programs and establishing application security throughout the life cycle; and
  • Infrastructure and Endpoint Security: Redefining infrastructure and endpoint solutions with secure software-defined networks.

Figure 5: Continuous Monitoring to Facilitate Risk-Based Decision-Making (Source: IBM)

A Business-Driven Approach To Security

It’s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort. A risk-based approach doesn’t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance. Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.

As an organization secures its business processes, a business-driven approach needs to become the guiding influencer to ensure that all the different security domains work together in a holistic manner in alignment with the business objectives. Otherwise, the organization’s risk stance becomes vulnerable due to misalignment of priorities between IT and the business strategy.

Aligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business. Too many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks. Leveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.

Read the Full Report: CISO insights on moving from compliance to risk-based program

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read