Shifting from compliance-based IT security to a risk-based model

IT security leaders discuss how and why organizations should make the change

Alexander agrees that security executives need to learn to think more like the business leaders in their organization, which can prove difficult given the background of many security managers.

“I think the important thing is that you need to build that alliance and that partnership with the business. Often times, security folks have come up either through law enforcement or the military or IT. When you look at any of those disciplines, they are not heavy on business and/or people skills, so they need to overcome that boundary or persona if you will,” Alexander said. “They need to sit down and they need to start understanding and asking questions; what is important to you at the end of the day? Then you get an understanding as to what is important for the business and then our job as information security folks is to take that interpretation, look at what they are trying to accomplish from a business perspective and put in a risk profile around it.”
IT security leaders also say that an organization’s tolerance for risk should change over time as it has to be dynamic and fluid to evolve as different threats emerge. In addition, Wisegate members said that CSOs need to make risk management work in their companies by involving all of the key stakeholders and getting top-down buy-in for the program. However, Alexander says security mangers shouldn’t expect the C-suite to automatically sign-on to a risk-based approach.

“It’s not something that happens over night by any means. It takes a lot of education and awareness to push (senior leadership) into the right direction,” she said. “When you’re looking at it from the real world perspective, such as what is the likelihood of a data breach happening and so on and so forth, that now gets their attention. Then they have a better understanding and they have an idea of what the threat landscape truly is not from a security perspective, but from a business perspective and you can begin to have that conversation with the executives as to where it is we need to focus our resources. It puts them at more ease and it puts the discussion in terms they know how to talk about.”

Gamby recommends that information security professionals think about the impact security controls and standards have on the business as a whole, as well as the overall culture of the organization to best determine how to make the move to a risk-based security model.

“The industry sets up the baseline for what you need to do to ensure that you mitigate risks at the level you’re comfortable with, but the reality is that a lot of the additional controls you put in place may be overly burdensome,” Gamby explained. “If you decide that a control, regulated or otherwise, is too burdensome to work with, the key is to make sure you document the reason why you decided not to implement that control. If it is determined that the risk is worthwhile, implement either process technology or people controls. If it is determined it is not worth the risk to do that because of cost of deployment or worries over the effectiveness of the control, document.”