Perfect security is not possible, feasible nor required by law. In fact, information security laws and regulations require that we provide “reasonable and appropriate” security through a well-defined risk management process.
Without a risk-based approach, organizations attempt to address information security requirements by either attempting to comply with a long list of security controls, or by investing in the security threats that most recently made the news. But regulations are written so that organizations can thoughtfully consider what threats are foreseeable, and what the potential impacts would be. Security controls should then be applied to bring those risks down to a level that the organization could accept.
Organizations care about information security not only because they need their systems and information to be secured, but because they want to avoid the impacts of a security breach. In the U.S., the impacts most often translate to fines, law suits and loss of business. But laws, regulations and the courts have long held that applying due care and due diligence reduces liabilities. By managing information security through a risk assessment, we not only follow the law, we ensure that our security investments are appropriate to our business.
A formal information risk assessment, as described by these laws and regulations, helps management to think through which of their information assets could create problems for the public, for the organization or for their clients if compromised. When risks are calculated in terms of “impacts,” then “due care” can be defined in clear terms that are as understandable to executive management as they are by technical managers and their constituents. Moreover, security investments can be planned so that they are proportional to the risk that they address.
We are in an arms race with criminals that want to disrupt business operations and steal data. These organizations have different aims but the one common theme is the unauthorized access and use of computer systems to fulfill their mission. Their missions vary but their attacks include:
- Stealing and selling data (intellectual property, personally identifiable information, etc.)
- Gaining control over computer resources
- Spreading infections (through botnets)
- Proving a point to perceived enemies
- Monitoring actions and decisions of organizations and nation states
- Disrupting business as political activism
While we are at a disadvantage in knowing what threats will occur and when, we can protect ourselves, our interests, and the interests of our stakeholders if we systematically consider these risks and manage a plan for reducing their likelihood and impact. On the occasion that these threats do occur, we will be better prepared either to defend against them, or to reduce the impacts. This is precisely what the laws are telling us to do.
The benefits of a mature risk management system include the ability to:
- Demonstrate compliance with contracts, laws, and regulations
- Identify threats and risks that were previously unknown or not prioritized correctly
- Differentiate from a marketing perspective
- Demonstrate due care to interested parties and clients
- Align the interests of IT, Executive Management, and Internal Audit
- Make efficient use of limited funds to maximize security spend
- Identify the biggest risks that need to be treated
- Reduce/eliminate ad-hoc risk assessing from staff