Treat information security as an operational risk management issue, not as a tactical function.
Computerworld - Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company.
The constantly evolving technology and threat environment and the difficulty of attaching a specific monetary value to information assets make it hard to come up with traditional return-on-investment numbers, Hoff says. So the focus instead is on gathering corporate metrics that show how the company can reduce risk exposure and avoid costs -- such as those related to virus attacks -- by implementing the appropriate security measures.
As part of this effort, Hoff's team is implementing a process methodology called OCTAVE from Carnegie Mellon University's Software Engineering Institute. OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans.
It's all about showing "reduction of risk on investment," Hoff says. "I'm not interested in showing that I've improved the bottom line. What I can show is how we have managed risk on behalf of the company and reduced our risk exposure."
Hoff is among a growing number of security managers who say it's time to approach information security as an operational risk management issue rather than as a function that's solely focused on implementing tactical fixes for every new threat that surfaces.
The need to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and California's SB 1386 is one of the primary factors pushing companies to take a more business-oriented look at their information security measures.
Lending urgency to the situation is a wave of legislation that lawmakers are considering in response to a series of well-publicized data compromises at Bank of America Corp., ChoicePoint Inc. and LexisNexis Group .
A New View
Evolving threats and a greater exposure to risk are also pushing the need for a more strategic view of security. The growing use of wireless and handheld technologies and the tendency to connect internal networks with those of suppliers, partners and customers have dramatically increased security risks and the potential consequences of a breach.
"All of a sudden, there are a lot of new stakeholders in information security," including regulators, shareholders, customers, employees and business partners, says Carolee Birchall, vice president and senior risk officer at BMO Bank of Montreal in Toronto. "All of these groups have different expectations of IT, and they all come to a head around information security," she says.
The trend calls for a fundamental rethinking of security objectives,
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!