From DDoS to IP theft, cyber attacks are taking their toll on organizations. Realizing the potential impact to the bottom line, the business is increasingly ready to participate in managing cyber risks. According to the Global State of Information Security® Survey 2014, leading organizations are “enhancing security capabilities in ways that show security is now a business imperative—not just an IT challenge.” The survey reveals average losses from incidents are up 18% over last year, with big liabilities increasing faster than smaller losses. More proactive cyber risk management is required in order for organizations to innovate and prosper.
If the business is ready to be part of the security equation, what’s the game plan for security teams? They need to establish formalized, consistent security processes that will integrate into critical business processes. Security teams will have to work closely with the business to establish goals, educate on risks, and communicate solutions. It requires an understanding of how information is used in conducting business and the best way to protect critical business processes end-to-end.
The SBIC has been championing the need for businesses to proactively manager cyber risk for some time now. Our latest report is focused on optimizing security processes and draws attention to that fact that the ad hoc processes from the days of checklist compliance and perimeter-based security won’t work to manage today’s cyber risks. The report – Future-Proofing Processes – highlights some of the most problematic outcomes of outdated security processes:
- Using technical terms for risk measurement makes advising business leaders difficult
- Cumbersome manual methods for tracking risks are not business-friendly
- Point in time piecemeal control assessments are no longer sufficient
- The system for third-party security assessments and oversight needs fixing – fast
- Headway needs to be made towards meaningful collection and analysis of threat data
The report’s five recommendations provide guidance on how to update existing processes, design key new processes, and upgrade techniques to help move information security programs forward. They include:
- Shift Focus from Technical Assets to Critical Business Processes – start documenting processes and think about how to protect the most critical business processes from end-to-end
- Institute Business Estimates of Cybersecurity Risks – develop scenarios estimating the likelihood and impact of incidents and hone techniques to quantify risks by projecting monetary losses
- Establish a Business-Centric Risk Assessment Process – use automated tools for tracking risks and hold the business accountable.
- Set a Course for Evidence-Based Controls Assurance – collect relevant data to test the efficacy of controls on an on-going basis for both internal and 3rd party assessments.
- Develop Informed Data-Collection Methods – Examine the types of questions data analytics can answer then build a set of data use cases
As information security teams face greater demands and elevated expectations, a fresh look at key processes can be an enabler for positive change. We’re confident that this latest guidance can help your organization zero in on processes that deserve some attention.
“With everything happening in business, technology, the threat landscape, there is a spot light on the information security function right now – it needs to evolve in order for organizations to be successful. As practitioners, we have a unique window of opportunity to really innovate the way we do security.”
Roland Cloutier, Vice President, Chief Security Officer, Automatic Data Processing, Inc.