Report: Bridging the information security/IT risk management gap
There is still a fundamental confusion about the relationship between information security and IT risk management, and many companies ask whether it is possible to have one without the other. Here are Risk magazine’s four steps to bridging the gap…
Despite the growing maturity of enterprise security and IT risk programs, many companies wonder whether they need both the information security and IT risk management functions to protect their enterprises’ information assets from malicious or accidental security violations, or IT-risk related incidents.
These are the findings of a recent Gartner research report, How to Close the Gap Between Information Security and IT Risk Management, which detailed four key points to help information security practitioners be viewed as strategic partners:
1. Integrating security and IT risk governance into the business decision-making process will ensure that security is effectively integrated into all business activities.
The days when information security organisations purchased technologies simply because they were perceived as “cool” are, for the most part, over – and rightly so, the report noted. Today, organisations need to become more involved in the decision-making process related to the identification, evaluation and mitigation of risks.
“These activities cannot be performed in a vacuum, and must be conducted with a clear understanding of potential impacts on the business’ ability to support and deliver on its objectives,” the report stated.
“Information security professionals who wish to be treated as strategic partners, rather than as tactical problem solvers, must communicate clearly and effectively with business leaders, and must do so in language that the business understands.”
2. Increase awareness of the value of information security in supporting business risk management objectives. Developing and reporting meaningful metrics and key risk indicators are crucial steps towards providing the necessary assurance that information security activities provide strong support for their business-critical objectives, according to the report.
Information security organisations should also implement continuous improvement to increase the maturity of their programs over time, while the report noted that the creation of an enterprise information security awareness program – comprising not only rules, standards and guidelines, but also clear explanations of the link between security and IT risks and business risks – will also ensure that the enterprise understands and appreciates the value of information security activities.
3. Ensure that risk ownership is assigned to the appropriate stakeholder within the enterprise.
Business stakeholders must take responsibility for their own risks, and the reported noted that this requires them to be involved in the risk treatment decision-making process early on. “One highly useful practice is the creation of risk memos that clearly define risks, present alternative remediation options and require stakeholders to sign off on final decisions regarding how risks are to be mitigated,” the report said.
It is important to understand that this shifting of accountability requires a fundamental change in governance principles and accountability structures. One of the keys to success is for the chief information security officer (CISO) to build an alliance of more-established and influential roles, such as the chief risk officer, corporate governance officer, compliance officer or chief internal auditor, that have the power to influence the executive leadership team.
4. Overcome key challenges to improving the maturity of security programs and making them more risk-focused.
Information security professionals who wish to be viewed more as strategic partners than as tactical resources must overcome a number of difficult challenges, according to the report.
The first is the need to communicate in the language of the business, avoiding jargon and discussions of technical threats and risks. Another critical challenge is the need to understand the objectives of the enterprise, with at least some understanding of the risks at the highest levels of the business. A third challenge for information security organisations is that they must also begin to look more closely at process-based solutions, instead of simply identifying, purchasing and implementing tools in response to all security problems that emerge
News