Treat information security as an operational risk management issue, not as a tactical function.
Computerworld - Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company.
The constantly evolving technology and threat environment and the difficulty of attaching a specific monetary value to information assets make it hard to come up with traditional return-on-investment numbers, Hoff says. So the focus instead is on gathering corporate metrics that show how the company can reduce risk exposure and avoid costs -- such as those related to virus attacks -- by implementing the appropriate security measures.
As part of this effort, Hoff's team is implementing a process methodology called OCTAVE from Carnegie Mellon University's Software Engineering Institute. OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans.
It's all about showing "reduction of risk on investment," Hoff says. "I'm not interested in showing that I've improved the bottom line. What I can show is how we have managed risk on behalf of the company and reduced our risk exposure."
Hoff is among a growing number of security managers who say it's time to approach information security as an operational risk management issue rather than as a function that's solely focused on implementing tactical fixes for every new threat that surfaces.
The need to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and California's SB 1386 is one of the primary factors pushing companies to take a more business-oriented look at their information security measures.
Lending urgency to the situation is a wave of legislation that lawmakers are considering in response to a series of well-publicized data compromises at Bank of America Corp., ChoicePoint Inc. and LexisNexis Group .
A New View
Evolving threats and a greater exposure to risk are also pushing the need for a more strategic view of security. The growing use of wireless and handheld technologies and the tendency to connect internal networks with those of suppliers, partners and customers have dramatically increased security risks and the potential consequences of a breach.
"All of a sudden, there are a lot of new stakeholders in information security," including regulators, shareholders, customers, employees and business partners, says Carolee Birchall, vice president and senior risk officer at BMO Bank of Montreal in Toronto. "All of these groups have different expectations of IT, and they all come to a head around information security," she says.
The trend calls for a fundamental rethinking of security objectives,
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!