A new survey from Southern Methodist University's Darwin Deason Institute for Cyber Security showed that enterprise...
executives are shifting away from compliance as a security investment driver and adopting more proactive security and risk management approaches. Specifically, the survey identified the increased use of security and risk assessment frameworks as a major contributor to this trend. How important are risk assessment frameworks for enterprise security programs, and are there specific ones you'd recommend?
Southern Methodist University's Darwin Deason Institute for Cyber Security published a survey in October 2015 that reported the majority of the 40 executives polled are adopting a more risk-based approach for information security. This is good news, especially since information security frameworks and professional certifications have always taught that risk should drive protection measures.
There are several risk assessment frameworks that are worth mentioning. The NIST SP 800-30 is a frontrunner. Other prominent frameworks include OCTAVE, FAIR and TARA. Industry accepted risk assessment frameworks have the benefit of being vetted by pundits that understand comprehensive methodologies. It's a good idea for enterprises to use them since developing their own would introduce the likelihood of missing segments that might skew the understanding of risk. They are also more readily accepted by assessment and audit groups that review the risk assessments for compliance.
Risk can be accepted, mitigated or transferred. One can do nothing (accept), reduce the risk (mitigate) or buy insurance (transfer). Risk assessment frameworks provide the methodology to do all three. They can be quantitative or qualitative. Quantitative risk frameworks use calculated algorithms to discretely and objectively identify value of assets, threats, vulnerabilities, likelihood and confidence levels. Qualitative risk frameworks identify the same aspects, but are more subjective and provide a general indication of significant areas of risk that should be addressed.
Vetting the risk assessment results also benefits the security team when it presents its findings to executive management. These include:
- Better understanding of IT and security risks related to the business model;
- Justification in the budgeting process for additional resources, services and tools;
- Assurance that the information security program is focused on proper protection of the right assets; and
- Confidence that the CISO is managing the information security program well.
Many times compliance overrides risk. If a control or process is required by regulation, it needs to be deployed. However, the risk assessment frameworks, which should include compliance risk, will describe to what level the controls need to be implemented. Without a proper view of risk, the information security program might omit proper levels of controls or it might also over-control and eventually incur the enterprise unnecessary costs.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn the best risk analysis method for enterprises
Find out what CISOs need to include in security reports
Discover some way to make security assessment reports more engaging
Create a simple risk assessment analysis in these five steps
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading