Treat information security as an operational risk management issue, not as a tactical function.
Computerworld - Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company.
The constantly evolving technology and threat environment and the difficulty of attaching a specific monetary value to information assets make it hard to come up with traditional return-on-investment numbers, Hoff says. So the focus instead is on gathering corporate metrics that show how the company can reduce risk exposure and avoid costs -- such as those related to virus attacks -- by implementing the appropriate security measures.
As part of this effort, Hoff's team is implementing a process methodology called OCTAVE from Carnegie Mellon University's Software Engineering Institute. OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans.
It's all about showing "reduction of risk on investment," Hoff says. "I'm not interested in showing that I've improved the bottom line. What I can show is how we have managed risk on behalf of the company and reduced our risk exposure."
Hoff is among a growing number of security managers who say it's time to approach information security as an operational risk management issue rather than as a function that's solely focused on implementing tactical fixes for every new threat that surfaces.
The need to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and California's SB 1386 is one of the primary factors pushing companies to take a more business-oriented look at their information security measures.
Lending urgency to the situation is a wave of legislation that lawmakers are considering in response to a series of well-publicized data compromises at Bank of America Corp., ChoicePoint Inc. and LexisNexis Group .
A New View
Evolving threats and a greater exposure to risk are also pushing the need for a more strategic view of security. The growing use of wireless and handheld technologies and the tendency to connect internal networks with those of suppliers, partners and customers have dramatically increased security risks and the potential consequences of a breach.
"All of a sudden, there are a lot of new stakeholders in information security," including regulators, shareholders, customers, employees and business partners, says Carolee Birchall, vice president and senior risk officer at BMO Bank of Montreal in Toronto. "All of these groups have different expectations of IT, and they all come to a head around information security," she says.
The trend calls for a fundamental rethinking of security objectives,
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts