Who to Trust? Effectively Assessing Third-Party and Vendor Risk

In many organizations, cybersecurity is maturing from a purely technical discipline into a component of enterprise risk. That means companies should assess infosec risks against the same broad framework used for other enterprise risks. This is a great development. But there’s a catch. Just because businesses need to assess all risks against a common framework…

Incident Response: Implement a Communications Plan

We all know what it’s like to uncover the first signs of a security incident: the huddled conference to confirm a plan of action, the sigh of relief when it appears the hack hasn’t reached vital systems, and then the sinking feeling in the pit of your stomach when you realize it has. Most mature…

Managing Distributed Risk: A Strategy for Minimizing Risk from Third-party Engagement

If you’re like most IT professionals, you’ve noticed that your roster of third-party providers continues to grow. Whether you’re using software as a service (SaaS) applications (as virtually every organization does), offshore developers, cloud services like infrastructure as a service (IaaS) or platform as a service (PaaS), or document share solutions, you probably have a…

Information Security and Enterprise Risk: How Do They Relate?

As of 2014, information security has become a board-level concern. Senior business executives—including the president, chairman, and board of directors—are paying attention to enterprise risk and information security in a way they never have before. The reason is obvious: the drumbeat of illustrious companies who’ve been successfully attacked, and the associated business costs of those…

What’s an Asset?

Ask a security professional for his or her job description, and you’re likely to get an answer along the lines of, “Protecting the company’s assets from being stolen or compromised.” Then try asking what they mean by “assets.” You’ll almost certainly get either a blank stare or an irritated scowl. Everyone knows what an asset…

Security as a Business Enabler

Does your organization view information security as a business enabler? The typical answer? “No way” (or something less polite). Most companies think of information security as a business inhibitor: a roadblock on the path to agility, productivity, and employee empowerment. At best, it’s a necessary evil; at worst, it’s burdensome overhead. Yet a sizable percentage…