Security Management Strategies for the CIOAccess "Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way"
This article is part of the October 2009 issue of Winners of Information Security magazine's Security 7 Award
Risk metrics were virtually non-existent three years ago when I took over as Kodak's global IT security and risk manager. The company's risk management process was cumbersome, time-consuming, inconsistent, and subjective; as a result, we were lacking a comprehensive picture of our security posture to the business. I wanted a security metrics program that not only supported the budgeting and investment process for IT security but also provided an "at-a-glance" view of the overall risk posture. I researched different risk models from the National Infrastructure Advisory Council (NIAC), the National Institute of Standards and Technology (NIST), and Microsoft SFT, and came away with the opinion that their models would not fit our requirements relative to management and overhead. I decided instead to rely on my previous business experience to develop our current metrics program: a tier-based approach to IT security risk management that uses a set of standard probability and business impact frameworks to provide a lean assessment process. One of the keys to our ... Access >>>
Access TechTarget
Premium Content for Free.
What's Inside
Features
-
-
Melissa Hathaway: Government Must Keep Pace with Cybersecurity Threats
by Melissa Hathaway, Contributor
Securing the Internet means to much to the future of the U.S. economy and national security.
-
Bernie Rominski: Communicate Effectively with Management about Risk
by Bernie Rominski
Learn how to communicate with senior management about risk; it's your job.
-
Information Security magazine Security 7 Award winners
Information Security magazine annouces the winners of its fifth annual Security 7 Awards.
-
Jerry Freese: Make Critical Infrastructure Protection a Priority
by Jerry Freese
Critical infrastructure protection must be addressed today to protect our country tomorrow.
-
Adrian Perrig: Improve SSL/TLS Security Through Education and Technology
by Adrian Perrig
Carnegie Mellon University's CyLab designs security to improve all aspects of society.
-
Melissa Hathaway: Government Must Keep Pace with Cybersecurity Threats
by Melissa Hathaway, Contributor
-
-
Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way
by Bruce Jones
Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
-
Tony Spinelli: Prioritize Information Security over Compliance
by Tony Spinelli
Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.
-
SOX compliance burdens midmarket security teams
Smaller public companies bear significantly higher pain in terms of revenue and costs per employee complying with Sarbanes-Oxley.
-
Developers Need Help with Security Errors
SQL injection attacks continue to plague Web applications. Companies need to invest in technology and education to hold off hackers.
-
Jon Moore: Build a Security Control Framework for Predictable Compliance
by Jon Moore
Health care provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
-
Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way
by Bruce Jones
-
Columns
-
Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry
Looking back at five years of award winners provides a timeline of security trends that you need to absorb.
-
How to avoid Internet liability lawsuits
by Jeanne Debus
Enterprises face numerous potential liabilities online. Avoiding lawsuits requires a sound cyber risk management plan.
-
Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry
More Premium Content Accessible For Free
Compliance and risk modeling
E-Zine
You can fight compliance or embrace it, but one way or the other, you can’t escape it. Increasingly, smart organizations are not just accepting ...
Essentials: Threat detection
E-Zine
Antivirus and intrusion prevention aren’t the threat detection stalwarts they used to be. With mobile endpoints and new attack dynamics, enterprises ...
Managing identities in hybrid worlds
E-Zine
The world in which successful IAM programs must be implemented is increasingly complex, a mix of legacy on-premise IAM infrastructures, cloud-based ...