Sapsiwai - Fotolia
Compliance with security standards such as ISO/IEC 27001 and PCI DSS doesn't necessarily make an enterprise's security controls effective and economical. Simply following long checklists and implementing basic controls to meet a standard's requirements won't automatically create a coherent strategy that builds a resilient operating environment that can handle current and future threats.
A risk-based security approach, on the other hand, identifies the true risks to an organization's most valuable assets and prioritizes spending to mitigate those risks to an acceptable level. A security strategy shaped by risk-based decisions enables an organization to develop more practical and realistic security goals and spend its resources in a more effective way. It also delivers compliance, not as an end in itself, but as natural consequence of a robust and optimized security posture.
Although a risk-based security strategy requires careful planning and ongoing monitoring and assessment, it doesn't have to be an overly complex process. There are five key steps to implementing risk-based security, and though time-consuming, they will align security with the goals of the organization. Board-level support is paramount. Input from numerous stakeholders throughout the organization is essential, as risk mitigation decisions can have a serious effect on operations which security teams may not fully appreciate if they make these decisions in isolation.
Step one: Asset valuation
Determine what the organization's key information assets are, where they are and who owns them. Look beyond material terms to determine their value. Include any business impact and costs associated with the confidentiality, integrity or availability of a compromised asset in an evaluation, such as lost revenue from an order-entry system going down or the reputational damage caused by a website being hacked. Evaluating assets this way ensures those that are most important to the day-to-day continuity of the organization are given the highest priority when it comes to security.
Step two: Identifying threats
The next step is to identify who may want to steal or damage these assets, why and how they may do it. This includes competitors, hostile nations, disgruntled employees or clients, terrorists and activists, as well as non-hostile threats, such as an untrained employee.
Consider the threat of natural disasters such as floods and fire. Each identified threat needs to be assigned a threat level based on the likelihood of it occurring. The likelihood of a particular scenario occurring requires input from business managers to provide sector-specific knowledge to add to the security team's own threat intelligence assessments.
Step three: Identifying vulnerabilities
A vulnerability is a weakness that a threat can exploit to breach security and steal or damage key assets. Penetration testing and automated vulnerability scanning tools can help identify software and network vulnerabilities, but physical vulnerabilities also need to be taken into account. Are perimeters secure and patrolled, are fire extinguishers regularly checked and backup generator systems tested? There are also vulnerabilities associated with employees, contractors and suppliers such as being susceptible to social engineering-based attacks.
Step four: Risk profiling
Once an organization's assets, threats and vulnerabilities have been identified, the process of risk profiling can begin. Risk can be thought of as the likelihood that a threat will exploit a vulnerability resulting in a business impact. Risk profiling evaluates existing controls and safeguards and measures risk for each asset-threat-vulnerability and then assigns it a risk score. These scores are based on a combination of the threat level and the impact on the organization should the risk actually occur.
This risk-based approach allows an organization to correctly prioritize the vulnerabilities it's identified and focus its efforts on the risks that are the most significant to its operations.
Step five: Risk treatment
Risks range from those that are low enough that an organization can accept them without adverse impact, to those so severe they must be avoided at all costs. Once each risk has been assessed, a decision is made to treat, transfer, tolerate or terminate it. Each decision should be documented along with the reasons that led to the decision. Repeat the process for each threat scenario so resources can be applied to the risks that will likely have the most significant effect on the business. Once these decisions are implemented, carry out tests to simulate key threats to ensure the new security controls do actually mitigate the most dangerous risks.
While undertaking a risk-based security assessment seems like a daunting task, plenty of online tools exist to help with evaluating assets, threat levels and risk scores. Factor Analysis of Information Risk and NIST's Risk Management Framework are two examples of frameworks that can be used to quantify operational risk. They help ensure that an enterprise understands the true risks to the key assets behind its day-to-day operations and how best to mitigate them.
Achieving total security in an organization is impossible, but by deploying resources and expertise in an intelligent and cost-effective manner, IT professionals can make the most out of their hard-won budgets.