Trustwave: How to effectively manage risk
When a colleague I used to work with wanted us to get to the core of the matter at hand, he would ask us to ‘cut through it’.
So, in this world of information security, risk and compliance, what do we see when we cut through it?
We see – despite great effort and expense – breaches occurring in just about every sector, whether in large or small-to-medium businesses. Why, in spite of the mitigation programs in place, do we still see so many of those same being breached? The answer may surprise you.
Accordingly to numerous ‘global security’ reports, just shy of 70% of breaches are as a result of the very basics not being managed.
So, are we managing risk effectively?
Risk management, according to Wikipedia ‘…is the set of processes through which management identifies, analyses, and, where necessary, responds appropriately to risks that might adversely affect realisation of the organisation’s business objectives’.
And how to we define ‘effective’ risk management?
I like to think of it as the holistic, interactive and continual process of managing risk, ensuring management is aligned with the threat landscape and charters the appropriate governance in managing such to ensure business continuity for the entity in question.
It’s all about business continuity, and whatever we do at the foundational level must support that end goal.
What, therefore, would an effective risk management program consist of?
There are a number of fundamental tenets that all effective risk programs must be built upon, and they are:
• Understanding the business objectives in relation to the protection of data.
• Performing comprehensive risk assessment (RA) with business impact analysis (BIA).
• Implementing IT controls commensurate with the value of the data to the business.
• Implementing control management systems.
• Implementing governance.
• Optimising an incident response and disaster recovery programme.
• Formalising the business continuity plan.
We don’t have the time and space to delve into each of these, but suffice to say that if your risk management program doesn’t contain all of these steps, you may be more vulnerable than you think.
In literally hundreds of thousands of forensic cases that Trustwave has performed, and an equal amount of risk management work, we have come to see that it is not the lack of the latest and greatest that lets down those who try to best protect their sensitive data and assets.
It is the basics, the very boring bits of information security that are being de-prioritised. Many times they are de-prioritised for the more sexy areas, such as the latest technology, that may end up giving a greater false sense of security.
So what next for your business? Feel free to use the above framework and it should stand you in good stead in turning what may be an inappropriately-secure organisation into a secure-enough organisation.
Raymond Simpson - Recruitment Program Manager - Trustwave