"The increasing responsibilities can sometimes impact the focus that is necessary in the day-to-day security function. Also, establishing the credibility of the new function is something that must be overcome confidently and quickly," he said. "I have also seen some pushback from the security function itself, as some of the technical operations may not see the need for the risk-based methodology. The function needs to be implemented iteratively, beginning with a board-level mandate, wide publicity, seed financing to establish base level solutions, and the celebration of documented success. I have also witnessed the powerful tool of a high-level and cross-functional committee that I chair that meets quarterly on all things security, risk, privacy, and compliance."
Among the benefits of moving to a risk-based model, according to Agcaoili, include being able to define your risks, prioritize them and structure your security roadmap. For those in the process or are thinking about moving to a risk-based security management model, Agcaoili advises looking over the aforementioned frameworks and having conversations with industry peers to learn how they’ve made similar transitions.
"Interacting with others that have applied those frameworks has given me a forum and a network of other people that I can share ideas with and say 'hey, this is how we have applied it, how have you applied it and how did it work for you?' and the dialogue begins," he added. "For me and the other leaders in information security, we’ve all been working together for the last half-decade to evolve and grow and share. My approach is battle-hardened on the job, but it is also battle-hardened with my peers."