Security and risk management (SRM) leaders are challenged today by the demands of their positions and expectations from stakeholders. Customers, regulators, auditors, and senior management want different things from SRM leaders. Identifying the processes and services that will demonstrate the value and communicate metrics and information sought by stakeholders is also difficult. Meanwhile, SRM leaders face regulatory requirements that are either new or continuously changing.
For SRM leaders, their ability to meet these challenges may well determine their level of career success. Gartner® reports, “by 2023, 30 percent of CISOs’ effectiveness will be directly measured on their role’s ability create value for the business”.
Create value for the business and long-term success for the security program
As per Gartner, “The effectiveness of a security program can no longer be measured solely by the security controls implemented and its compliance with regulatory requirements. Also, this is made more difficult by increasingly dynamic regulatory and audit requirements, and adoption of modern IT delivery methods.”
The answer is a modern security program that equips SRM leaders to demonstrate risk reduction, along with reporting tools that enable them to easily communicate the program’s effectiveness, efficiency and value to each stakeholder type.
Zero in on the fundamentals for IT security
SRM leaders who desire to build a modern security program should focus first on fundamentals. As the saying goes, you should learn to walk before you attempt to run.
As Gartner® notes in Security Fundamentals – The Services and Processes You Must Get Right, “an SRM leader must be able to demonstrate an ability to assess, prioritize, and implement a reasonable standard of due care to meet the divergent and evolving expectations of customers, regulators, auditors and senior management.”
Strive to accomplish the basics, including:
- Implement and document processes and services listed in generally accepted standards and frameworks. A comprehensive and mature security program features additional processes and services, but this starter set delivers on the fundamentals.
- Institute security governance. SRM leaders are resource challenged. Having security governance allows you to address stakeholders’ expectations while delivering program benefits.
- Collaborate with other business lines. Review outputs from security governance with other departments regarding business goals and risks, which helps drive security’s direction.
- Engage security policy management. A security policy encourages positive behavior and discourages negative behavior. Such a policy should be in accordance with the company’s risk appetite, which funds security controls and bears any residual risk.
- Communicate security’s role and activities. All the good work being done by security is negated by a lack of awareness and education. Departments and management need to hear from SRM leaders to understand the value provided.
According to Gartner®, “enterprises that conduct their security awareness activities as a process with behavioral change metrics are most likely to derive demonstrable value from them.”
Manage vulnerabilities and incidents
The better the security team manages vulnerabilities, the lower the risk of incidents occurring. That is why identifying, assessing, and resolving security weaknesses in the enterprise is an ongoing activity of a security program that is focused on the fundamentals.
As per Gartner, “With respect to infrastructure-related weaknesses, identification and, to some extent, assessment come from activities such as vulnerability scanning and penetration testing. Assessment requires knowledge of the technical implications of the security weakness and also of the business implications of exploitation of the weakness. The risk owner must then make a decision on how best to treat the risk.”
Also, “Remedial action may range from detailed technical measures — such as the application of patches, or changes to the configuration of firewalls or other network-based vulnerability protection infrastructure — through changes to custom-made applications, and right up to very high-level measures, such as changes to processes or new awareness campaigns.”
Hackers thrive on the most vulnerable. Steps to shore up defensives go a long way toward preventing security breaches. Even the soundest security program will experience incidents. What is essential for security is the incident response process.
As Gartner puts it, “the extent of the damage from an incident largely depends on the quality of the response.”
A quality incident response involves preparation, detection and analysis, response, and post-incident activities. Preparation means knowing your critical assets. Detection and analysis discover incidents while response resolves and limits the damage. Post-incident activities such as root cause analysis, a post-mortem on response, and remedial action are essential for preventing future incidents.
Master the fundamentals for IT security and risk management
SRM leaders are under pressure to deliver on security expectations and meet stakeholders’ demands, from customers and senior management to auditors and regulators. The pressure can be overwhelming. The solution is to get back to the basics and master sound security fundamentals for IT security. From there, you can add on the finer elements of a modern security program.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.