Treat information security as an operational risk management issue, not as a tactical function.
Computerworld - Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company.
The constantly evolving technology and threat environment and the difficulty of attaching a specific monetary value to information assets make it hard to come up with traditional return-on-investment numbers, Hoff says. So the focus instead is on gathering corporate metrics that show how the company can reduce risk exposure and avoid costs -- such as those related to virus attacks -- by implementing the appropriate security measures.
As part of this effort, Hoff's team is implementing a process methodology called OCTAVE from Carnegie Mellon University's Software Engineering Institute. OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans.
It's all about showing "reduction of risk on investment," Hoff says. "I'm not interested in showing that I've improved the bottom line. What I can show is how we have managed risk on behalf of the company and reduced our risk exposure."
Hoff is among a growing number of security managers who say it's time to approach information security as an operational risk management issue rather than as a function that's solely focused on implementing tactical fixes for every new threat that surfaces.
The need to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and California's SB 1386 is one of the primary factors pushing companies to take a more business-oriented look at their information security measures.
Lending urgency to the situation is a wave of legislation that lawmakers are considering in response to a series of well-publicized data compromises at Bank of America Corp., ChoicePoint Inc. and LexisNexis Group .
A New View
Evolving threats and a greater exposure to risk are also pushing the need for a more strategic view of security. The growing use of wireless and handheld technologies and the tendency to connect internal networks with those of suppliers, partners and customers have dramatically increased security risks and the potential consequences of a breach.
"All of a sudden, there are a lot of new stakeholders in information security," including regulators, shareholders, customers, employees and business partners, says Carolee Birchall, vice president and senior risk officer at BMO Bank of Montreal in Toronto. "All of these groups have different expectations of IT, and they all come to a head around information security," she says.
The trend calls for a fundamental rethinking of security objectives,
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts