In industry best practices and regulatory requirements, much is written about information security programs and what these programs must address As recently as this year, Massachusetts' law regarding protection of personal information put forth explicit requirements for written information security programs.
Regulations and best practices contain useful advice and generally sound requirements, but rarely -- if ever -- do they address the issue of ensuring the information security program is aligned with the company's tolerance for risk. Why is this topic absent, both in regulations and in best practice advice? How many companies actively discuss and manage information security risk tolerance?
Understanding a company's risk tolerance related to securing information means that the information security department knows the degree to which the company's senior management requires their information be protected against a confidentially leak or data integrity compromise. And using that knowledge, the information security department has put policies and practices into place to support that risk tolerance. Without this understanding, the company may be overspending (protecting data too much) or not protecting its assets to the level expected and required by the business leaders.
The absence of this requirement from regulations and best practices may be due to the extraordinary challenge of discussing risk tolerances. To achieve a well-understood security risk tolerance, a frank and clear conversation with the company's senior management on the degree to which information should be protected has to occur. The conversation must include the discussion that not all data should be protected and even that not all important data should be protected at the same level.
The conversation must lead to such conclusions as, for example, customer and employee information should have a very low level or six sigma level of known exposure points (six sigma level represents a very low tolerance for information compromise -- fewer than 3.4 defects in one million occurrences), while non-confidential information can tolerate higher potential exposure levels such as one sigma -- close to 700,000 defects per one million occurrences.
It is only with that degree of understanding that security professionals and technical engineers can build systems and measurements to satisfy the company's requirements and risk tolerances.
It is important to note that this is not simple and one conversation will not suffice. This will take many conversations and ongoing discussions. It requires discipline, common terms and language, and an ability to recognize that calibrating risk tolerances understood by business leaders and actualized by technology leaders is an ongoing process. Risk tolerances are not easy to articulate nor are they static. Many companies find that their risk tolerance changes when an event occurs -- their stated tolerance may be too high when faced with an actual security event that compromises data.
The core of any effective information security program is protecting and reporting on the ability to protect information commensurate within three main categories: 1) regulatory guidance, 2) commercially reasonable and/or best practices, and 3), the company's risk tolerance for data compromise.
Programs have become mature over time related to regulatory guidance and best practices. However, a new maturity level needs to be achieved: securing information in alignment with the company's stated risk tolerance. It is only with this level of maturity that an information security program can fulfill its mission: to protect information to the level defined by the organization, its regulators, and commensurate with its industry.
Susan L.T. Neubauer is the CISO at TIAA-CREF, a Fortune 100 financial services company.. Send comments on this column to firstname.lastname@example.org