Governance, Risk & Compliance: GRC
Five Organizational Resilience Strategies for Security and Risk Management
Most business stakeholders are not focused on the same specifics as security and risk management (SRM) leaders. Stakeholders are interested in achieving company goals. To serve them, SRM leaders should aim their goal on organization resilience strategies. An adverse event like ransomware often disrupts operations, while resilience efforts help ensure a quick restart.
Here are five strategies for SRM leaders that build on the security fundamentals presented here.
1. Use IAM to manage risk, reduce fraud and enable business imperatives
As per Gartner®, “IAM encompasses the tools and best practices to manage identities and access across an organization to manage risk, reduce fraud and other losses and enable business imperatives.”
Gartner further states, “it is necessary to ensure that, among other things, each identity (including user and machine identities) has the minimal level of access to the resources that it needs (i.e., the principle of lease privilege). IAM can also be used by the business to enforce and identify breaches of segregation of duties.”
2. Manage vulnerabilities to help reduce the risk of incidents
Hackers around the world relentlessly probe company defense systems, looking for weaknesses like a system that has not updated to the latest security patch or older firewalls lacking security protocols. SRM leaders need to be at the top of their game due to the increasing sophistication of cyberattacks.
According to Gartner, “With respect to infrastructure-related weaknesses, identification and, to some extent, assessment, come from activities such as vulnerability scanning and penetration testing. Assessment requires knowledge of both the technical implications of the security weakness and the business implication of exploitation of the weakness.“
3. Provide security monitoring to prevent incidents from going undetected
Security monitoring of controls keeps a watchful eye for threats to operations. Without ongoing monitoring, SRM leaders could get stuck in a reactive mode, responding to and triaging every crisis. Gartner recommends that security monitoring includes at a minimum: basic log management, security operations resourcing and operating metrics.
As per Gartner, for basic log management “Organizations should implement a central repository for log retention to meet investigative and legal requirements and support some sort of reporting or analysis.”
In terms of security operations resourcing, “At a minimum, organizations require a human resource to be available to review and act on the information generated for security tools. Outsourcing is an option, and for organizations starting the security journey, a limited security service such as MSSP and MDR from a provider can provide a very useful way of uplifting some security capabilities quickly and simply.”
For operating metrics, “Targets, key performance indicators (KPIs) and metrics to measure and monitor how installed security controls are performing are essential to demonstrating the effectiveness of security controls.”
4. Shore up security around vendors and the procurement process
A sizeable percentage of cyber incidents are traced to company vendors or businesses in the supply chain. SRM leaders can follow organizational resilience strategies, but if there is a weakness in security around the procurement process or third parties, there is a much higher risk of incidents.
Gartner says, “It is critical to ensure that security requirements are included in the procurement process—particularly for technology products and software. These requirements could include broad compliance requirements like SOX, HIPAA and PCI DSSS, but should be tailored to the products being sourced.”
Gartner also stresses due diligence and transparency. “Conduct appropriate due diligence to assess the security posture and suitability of the vendor to securely provide contracted services.” and, “allow the client to assess the state of security based on reports that are delivered on time and in a format that provides transparency.”
5. Create a business continuity plan that includes disaster recovery
Business continuity management (BCM) encompasses disaster recovery and represents a must-have for SRM leaders. A crisis can strike any moment, so our takeaway from the Gartner research report is clear: have a plan for typical scenarios with test runs to bounce back faster from a crisis.
We believe that Gartner puts it best. “The ultimate goal for every organization should be to resist, absorb, recover and adapt to business disruption (whether security-related or otherwise) in an ever-changing and increasingly complex environment to enable it to deliver its objectives, and rebound and prosper. “
Achieve organizational resilience
SRM leaders should set a goal for organizational resilience because that status best serves the business. To accomplish organizational resilience strategies, limit risk with identity access management, manage vulnerabilities that make an attractive target to hackers, embrace security monitoring that provides a first response to incidents, take extra security precautions around vendors and procurement, and build a BCM plan for a day you hope never arrives but readiness if it does.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.