Shifting from compliance-based IT security to a risk-based model

In the ever evolving threat landscape that is IT security, some security executives have become so focused on taking an approach that meets compliance requirements that their attention has become diverted away from some of the actual risks facing their respective organizations. Obviously complying with rules and regulations set forth is important, but some organizations are making it the primary guiding principle of their security program.

Wisegate, a membership body for senior IT professionals, recently polled security executives across a variety of industries to get their advice on how their peers can make the shift from a compliance-based security model to one that is more risk-based. Among those members asked about the top factors influencing their information security/risk management program, 73 percent said that compliance requirements were the primary driver. Other responses included:

  • General threat landscape facing the business, technology and employees – 47 percent
  • It is the right thing to do/we prefer to initiate change rather than react to events – 47 percent
  • A recent security “close call” without external reporting requirements – 21 percent
  • Recent security incident requiring external notification – 15 percent

According to Wisegate members, compliance should become just one factor in the organization’s risk management program and that security managers should start thinking in terms of acceptable risk rather than meeting compliance requirements that can simply be marked off on a checklist.

“If you’re focusing just on compliance, you will never be 100 percent compliant. You’ll just never accomplish that,” explained Candy Alexander, CSO for Long Term Care Partners, an insurance company for federal employees. “The technology environment changes daily. A lot of organizations when they setup a compliance program, they will set a goal of 100 percent; that’s not going to happen, so be realistic there. If you focused on simply being compliant, you will never be 100 percent secure. You will never protect your environment 100 percent. With that being said, if you shift that focus to a risk perspective, you’re going to protect your environment and you will be compliant because compliance is just a factor in that risk profile.”

According to Randall Gamby, a founding member of Wisegate who serves as information security officer at the Medicaid Information Service Center of New York, one of the fundamental errors that many people make is thinking that compliance is an “end state” for their security program.

“People think if I have a HIPAA requirement and I meet those HIPAA controls then I have no other security issues that I need to address. The reality is that all compliance (frameworks), whether they are industry compliance requirements, federal or even international requirements, all of these are baseline standards and you have to think of compliance as the basement of where your security starts,” he said. “You have to make sure that you secure the compliance stuff and then you have to look at the other information that doesn’t fall underneath the regulation so you can secure that as well.”

Gamby added that there has been a change within the information security community in that more security mangers now view things from the overall business perspective, rather than just their individual silo.

“Originally, the goal of information security was to protect IT services and it was plain black and white. Can I do this, yes or no?” Gamby said. “What people started to realize was that the security office ended up being more of a roadblock to the growth of the organization rather than a proponent of the business values and direction that things had to go to. CISOs (chief information security officers) and ISOs (information security officers) have had to actually change their thought process. The question is not yes or no; the question is what is the business value that applies to this?”

Alexander agrees that security executives need to learn to think more like the business leaders in their organization, which can prove difficult given the background of many security managers.

“I think the important thing is that you need to build that alliance and that partnership with the business. Often times, security folks have come up either through law enforcement or the military or IT. When you look at any of those disciplines, they are not heavy on business and/or people skills, so they need to overcome that boundary or persona if you will,” Alexander said. “They need to sit down and they need to start understanding and asking questions; what is important to you at the end of the day? Then you get an understanding as to what is important for the business and then our job as information security folks is to take that interpretation, look at what they are trying to accomplish from a business perspective and put in a risk profile around it.”
IT security leaders also say that an organization’s tolerance for risk should change over time as it has to be dynamic and fluid to evolve as different threats emerge. In addition, Wisegate members said that CSOs need to make risk management work in their companies by involving all of the key stakeholders and getting top-down buy-in for the program. However, Alexander says security mangers shouldn’t expect the C-suite to automatically sign-on to a risk-based approach.

“It’s not something that happens over night by any means. It takes a lot of education and awareness to push (senior leadership) into the right direction,” she said. “When you’re looking at it from the real world perspective, such as what is the likelihood of a data breach happening and so on and so forth, that now gets their attention. Then they have a better understanding and they have an idea of what the threat landscape truly is not from a security perspective, but from a business perspective and you can begin to have that conversation with the executives as to where it is we need to focus our resources. It puts them at more ease and it puts the discussion in terms they know how to talk about.”

Gamby recommends that information security professionals think about the impact security controls and standards have on the business as a whole, as well as the overall culture of the organization to best determine how to make the move to a risk-based security model.

“The industry sets up the baseline for what you need to do to ensure that you mitigate risks at the level you’re comfortable with, but the reality is that a lot of the additional controls you put in place may be overly burdensome,” Gamby explained. “If you decide that a control, regulated or otherwise, is too burdensome to work with, the key is to make sure you document the reason why you decided not to implement that control. If it is determined that the risk is worthwhile, implement either process technology or people controls. If it is determined it is not worth the risk to do that because of cost of deployment or worries over the effectiveness of the control, document.”