Developing an Information Security and Risk Management Strategy
Organizations are continuously working to plan ahead with regards to the security and risk management procedures they set up within their business, endeavoring to deflect imminent security threats. With attack surfaces continually emergent, the task of securing information has become more complex, security strategies need to extend to mobile platforms, cloud systems and social ecosystems.
An information security and risk management strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile. Traditionally, ISRM has been treated as an IT function and included in an organization’s IT strategic planning. As ISRM has evolved into a more critical element of business support activities, it now requires its own independent strategy to ensure its ability to appropriately support business goals and to mature and evolve effectively.
In order to ensure security of your organization for the long-term, you need to determine and understand their current security status and set achievable goals based on long-term strategic security road mapping.
Step 1: Business Awareness
The first steps include understanding the organization’s current business condition and considering the organization’s risk profile and appetite.
When developing an ISRM strategy, it is important to understand the organization’s current business conditions, as they will dictate the ability of the organization to execute the strategy that has been defined. If an organization does not have the staff, budget or interest in a robust or expansive ISRM capability, the strategy must reflect this situation. Also, the goal of an ISRM strategy should be to complement business goals while maintaining a responsible level of risk management and security for the organization’s information infrastructure and data. ISRM is one component of an overall enterprise risk management (ERM) capability, and as such, it should align itself with the goals and doctrines of ERM whenever possible.
Step 2: Defining Strategy
This step include a prescriptive annual plan followed by a rolling three-year plan. The idea behind this is to allow for the determination of specific goals and objectives that can and should be met on an annual basis while accounting for the fact that ISRM is an ongoing activity. This also allows the organization to understand its current state of capability as well as its projected needs and requirements for the future. Also, it clearly identifies the point of arrival for capabilities based on management guidance and input. The role of this step is also to ensure the availability and capability of necessary staff for the strategy execution.
Understanding the culture of an organization is important when developing an ISRM strategy, and a key element is adoption. Adoption of strategy will not occur quickly or effectively if the members of the organization who are impacted by the strategy do not support the implementation.
Step 3: Strategy Development
This Step includes defining the governance model and functional inventory of capabilities and services. The organizations also need to consider whether ISRM strategy will include operational components or will act as a consultative element within the organization. Another important strategy organizations needs to develop is to determine the reporting structure of ISRM, the ISRM scope of responsibility now frequently extends beyond technology to a focus on business processes and data. If this holds true, the ISRM group will likely be more effective as part of ERM and reporting to the chief risk officer (CRO).
The organizations should also consider the staff and competency requirements necessary to successfully implement and operate the ISRM strategy, also, the risk of sourcing and ensuring appropriate oversight by internal staff.
Step 4: Metrics and Benchmarking
The fourth step includes ensuring alignment with industry standards and guidelines. Also, using a capability maturity model assessment methodology and KPIs to measure the effectiveness of the function and capabilities of the functions and capabilities developed through the ISRM strategy.
Step 5: Implementation and Operation
The first step in this face is to Take global considerations into account, Global considerations cannot be neglected when developing an ISRM strategy. Many controls, capabilities, standards and guidelines that are appropriate for a specific geography may not be applicable in others. For instance, in the US, an appropriate and preferred measurement of employee awareness of ISRM capabilities is to present employees with materials, test them on their retention and recognition of the materials, and collectively store and report this information. However, in countries such as Germany, this is not an allowed practice and cannot be implemented due to human resource regulations. The second step is to determine how compliant the organization wants or needs to be. A better approach often is to analyze the impact of not being compliant or becoming only partially compliant. In many cases, full compliance can be debilitating to business operations. If a regulation or standard does not have court precedence or defined and implemented consequence management, the impact of noncompliance may not be well understood. It may be in the organization’s best interest to continue to develop capabilities in line with industry-leading and organizational best practices instead of focusing on external compliance requirements alone. The fourth step is to Determine consequences of not conforming to ISRM policies and requirements. Consequence management is the enforcement element for issues of noncompliance or nonalignment. It can range from a simple risk waiver that removes liability for actions from the ISRM group all the way to punitive actions against employees who choose not to align to ISRM directives. The fifth step is utilizing an oversight board as part of the operational model for an ISRM strategy as it can ensure business alignment as well as remove the ability for dissenters to criticize the organization for a lack of business consciousness. The sixth step is to Ensure that appropriate communication is occurring between the ISRM group and supporting business functions. The seventh and the last step is ensuring cultural awareness regarding how information protection activities are viewed within the organization by changing the focus from security to risk management.