|
In the trenches
Assessments, people problematic in managing risk
Security managers must stave off risk with comprehensive assessments.
"With big risks come big rewards" doesn't hold true for security managers, for whom big risks are a recipe for big failures. And, while risk factors differ between markets, the challenges and best practices for maintaining a risk management strategy are surprisingly similar.
"Risk management is an essential component to the information security officer; you can't secure things you don't know about," says Stan Gatewood, CISO at the University of Georgia.
Security managers say documenting risks is one of their greatest challenges.
"Risks aren't solely confined to technical operations; there are often compliance and other esoteric risks to consider," explains Ernie Hayden, CISO for the Port of Seattle.
Budget constraints are also commonly cited as pain points, especially for government-funded institutions, whose employees are often asked to do more with less.
People can be problematic, too. "Complacency is often a factor. Many believe in a 'if it ain't broke don't fix it' attitude, making it hard to move from a reactive to a proactive mindset," Gatewood says.
So what can be done to reduce the risk of data loss? For those who have the budget, use products that not only help manage risk but offer a good ROI.
Nick Garbidakis, CIO/CTO for the American Bible S...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ociety, uses Ecora Enterprise Auditor.
"Without this kind of system, someone has to go through every server and update manually. The system makes sure everything is updated and gives us reports. Before, we were reactive to issues. The reports show us who was in systems, what happened overnight. It enables us to be more proactive," he says.
Those who don't have the budget can start investigating policies and standards, like NIST 800-30, COSO and ISO 27001, to provide guidance for risk assessments.
Once a risk assessment has been conducted, CISOs should be able to classify risk types and define acceptable risk levels. The next step is education at every tier.
"I conduct seasonal brown-bag seminars that employees can voluntarily attend," says Hayden.
For upper management, provide quantifiable data and position yourself as an expert in the field, recommends Gatewood. "This means doing your homework, putting on the glasses, reading about risk management and how it applies to your sector."
Equally important, Hayden says, is to respect and trust senior management, regardless of what they do with the information gathered; they may know something you don't that may contribute to business failure.
Finally, keep abreast of security issues.
"Bad guys are getting sophisticated, and technical controls aren't as strong as they used to be. Therefore, we need to think through all risk factors," says Hayden.
[IMAGE]
|
