The year 2014 was a big year for data breaches. No industry was spared in the attacks. Customers suddenly were forced to reevaluate who they did business with after they lost confidence or, worse yet, had their identity stolen. In 2015, companies are being forced to reconsider the budget and staffing that they devoted to their security but for many, shoring up security is only part of the problem.
Security Breaches in Upward Trend. Security Investment in Upward Trend.
Earlier this month the Identify Theft Research Center (ITRC) and IDentity Theft 911 released their 2014 Data Breach Report. The Data Breach Report is a compilation of the 783 total breaches that took place. Over 85 million records are known to have been exposed by these breaches and countless others went unreported. This 27.5% increase in the number of breaches is causing companies to reconsider the budget, managed services, and staffing that they devoted to their security but for many, shoring up security is only part of the solution. All successful security strategies have to start with a solid risk management strategy.
Information Security vs Risk Management
Information Security is often defined as the act of protecting data from unauthorized access, modification or destruction. These practices include having proper firewalls or access controls in place between 3rd party vendors and internal networks, having proper antivirus and malware detection tools updated and in place, routinely patching vulnerabilities and managing authentication and access methods for users. Information Security is typically a role within the IT department that ensures that new projects and existing infrastructure meet the requirements of regulations and compliance measures.
Risk Management is the identification, analysis, control, avoidance, or elimination of unacceptable risks to the business. While Information Security focuses primarily on IT, Risk Management takes a holistic view at the organization as a whole. The members of a true Enterprise Risk Management committee include staff from across the business to determine not only what the security requirements are, but what the risk tolerance and risk appetite will be and what mitigation steps will be required.
How can an effective IT department plan new projects or design a security strategy when they don’t know the risk tolerance of the business? How can new software, hardware, solutions, or projects be planned and budgeted if the risk appetite isn’t defined? How can the business acquire a new company if they don’t understand the risks of integrating two disparate organizations?
PLAN, PLAN, PLAN
The old adage of “measure twice, cut once” applies to security and risk planning.
Measure – Help your organization develop an Enterprise Risk Management (ERM) strategy. Define the desired business balance of risk vs. cost. The organization may have a higher risk appetite for services that process non-critical, non-identifiable data than they would for their customer database and point of sale system. What is the cost to perform risk avoidance measures now vs. the future? Will they Avoid, Control, Accept or Transfer risk? What are the people risks outside of technology?
Measure – Ensure that your project has measurable risk indicators and events. Reporting on the state of the enterprise’s risk is critical to continuous improvement. What are the key performance indicators to measure against risk tolerance and risk appetite? How will risk management be scored?
Cut – Execute your plan and strategy. Reevaluate the risk appetite and tolerance of the organization throughout the lifecycle and not just at implementation. Did you reach your goal? How will ERM play a role in the next project and in the maintenance of the current infrastructure?
Risk is more than just “Am I patched and do I have access controls in place”. Risk includes understanding the business strategy in order for the business to drive IT’s strategy and taking measures to align the business and IT, which will optimize the projects that IT undertakes.
If your company is going to thrive, you require staff and consultants who not only secure your data but also protect the organization’s non-IT controlled aspects so that you don’t become the next Target, Home Depot or Sony in the news. The NTT Group is a recognized ‘Leader’ in Forrester’s Wave for Managed Security Services, North America and a ‘Challenger’ in Gartner’s Magic Quadrant for Managed Security Services, Worldwide. Contact NTT DATA to find out how we can help define your enterprise risk management strategy or assess your current risk profile.
- Nathan Aeder, Associate Director, Cloud Advisory Services – Senior Cloud Strategist
Post Date: 1/21/2015