Over the years, I’ve seen a remarkable shift in the way organizations approach their cybersecurity strategies. After the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) debuted, most security programs focused on compliance issues. Organizations scrambled to ensure their operations were up to par before the auditors arrived.
Today, the conversations I have with security leaders center on risk. Compliance may still play an important role in regulated industries, but the modern, risk-based approach to security sees organizations evaluating security issues within their business context and then investing in the technologies, people and processes that best address those risks.
Where Does Compliance Fall Short?
Although compliance standards provide a blueprint for security controls, the regulatory bodies that produce them concentrate on one particular subset of business operations, rather than the holistic interests of an organization. Banks, for instance, worry about how organizations handle credit card transactions; healthcare officials are concerned about medical records. Regulatory bodies don’t step back and ask how a business operates, and then provide best practices that organizations can use to secure their operating environments — that’s not their role.
As a result, compliance remains necessary for legal reasons but is insufficient for meeting organizations’ legal, ethical and fiduciary obligations related to information security and privacy.
Enter the Risk-Based Security Approach
Risk-based security strategies begin with a comprehensive risk assessment, conducted by either an internal team or an external consulting firm. The assessment takes the holistic view that compliance standards lack by balancing business goals with technical constraints and the current threat landscape. It looks at all aspects of business operations, identifying cybersecurity risks to those operations and appraising the controls that protect the organization’s assets.
The assessment results in a prioritized gap analysis that lists the areas where an organization’s security controls don’t do enough to address related risks. IT leaders can then use those results to guide their future activities and purchases. In many cases, leaders initiate a series of projects designed to remediate control gaps with a combination of technology solutions, administrative practices and physical controls.
The focus on risk-based cybersecurity reflects a renewed trend in the business community to improve risk oversight at the executive and board levels. Enterprise risk management (ERM) programs seek to identify financial, reputational and operational risks to an organization and ensure there are adequate strategies in place to control those risks and preserve the ongoing viability of the organization. Organizations with a mature ERM program find that risk-based security practices slide neatly into those efforts, while those without an ERM approach may learn that implementing a risk-based cybersecurity program leads to more mature risk-based decision-making in other areas of the business.
This blog post brought to you by: