A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks

Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.

Risk Management More Important Than Ever

It can be easy to deploy security technology and think you’ve mitigated risk to your business. But sadly, technology investment is no guarantee of protection against the latest threats.

Studies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents. According to the recent “2016 Cost of Data Breach Study” from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.

Managing risk can help to mitigate this cost. The shift to a risk management approach has been brewing for some time, according to the CISO Insights Study. Security leaders are realizing that simply checking the box to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.

Below are some more key takeaways on risk programs:

Compliance Is Just One Factor

Compliance doesn’t go away entirely, even in a risk-based program. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements. It’s a change in language, and the moment when everyone understands the difference is transformational for the entire organization.

Risk Tolerance Evolves Over Time

An assessment plan and risk profile is expected to change over time. It is also difficult for organizations to properly assess risk before encountering a problem. However, frequent conversations about what department heads and senior management are comfortable with promotes risk awareness across all lines of business.

Making Risk Management Work

Risk management breaks down into three distinct areas: strategic, tactical and operational. As organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.

Explore Risk Assessment Methodologies and Tools

Security teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one. Frameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs.

Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.

Figure 3: NIST Framework (Source: NIST)
Figure 1: NIST Framework (Source: NIST)

Figure 4: Adopted Frameworks (Source: wisegateit.com)
Figure 2: Adopted Frameworks (Source: Wisegate IT)

Transform Your Security Program

IBM outlined 10 essential practices for a stronger security posture. These practices will be assessed based on a maturity level basis:

Figure 6: IBM has 10 essential practices
Figure 3: 10 Essential Practices (Source: IBM)

Aligning the above to a maturity model offers a prescriptive assessment of your company versus best practices.

Figure 7: CMM
Figure 4: Capability Maturing Model (Source: IBM)

Security services help clients optimize their security program with skills to address modern risks. Organizations can access the right skills, reduce complexity, gain access to global threat intelligence, build secure connected systems, and modernize existing security programs across their people, processes and technology with management consulting, managed services and systems integration.

At IBM, this service is built on six competencies:

  • Security Strategy, Risk and Compliance: Automating governance, risk and compliance programs;
  • Security Intelligence and Operations: Building and managing security operations and security fusion centers;
  • Cybersecurity Assessment and Response: Establishing robust security testing and incident management programs;
  • Identity and Access Management: Modernizing identity and access management for the cloud and mobile era;
  • Data and Application Security: Deploying robust critical data protection programs and establishing application security throughout the life cycle; and
  • Infrastructure and Endpoint Security: Redefining infrastructure and endpoint solutions with secure software-defined networks.

Figure 8: IBM Continuous Monitoring to Facilitate Risk-Based Decision Making
Figure 5: Continuous Monitoring to Facilitate Risk-Based Decision-Making (Source: IBM)

A Business-Driven Approach To Security

It’s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort. A risk-based approach doesn’t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance. Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.

As an organization secures its business processes, a business-driven approach needs to become the guiding influencer to ensure that all the different security domains work together in a holistic manner in alignment with the business objectives. Otherwise, the organization’s risk stance becomes vulnerable due to misalignment of priorities between IT and the business strategy.

Aligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business. Too many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks. Leveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.

Read the Full Report: CISO insights on moving from compliance to risk-based program

Share this Article:
Ayman Hammoudeh

Senior Security Technical Sales Consultant, IBM

Ayman Hammoudeh is a senior security advisor working on IBM security portfolio within IBM. He has over 8 years of security experience including: Information security strategy and design, Information Security Architecture, Advanced Persistent threats, Incident response, Forensics , risk management development, compliance advisement, project management, Application Security and Code review,Vulnerability assessments And penetration Testing . He is OWASP and ISC2 chapter leader, and a public speaker in various security event and conferences.