Safeguarding Organizations through Risk-Based ISO Strategy
By Jerry Sullivan, CIO and VP, IT, Orlando Utilities Commission
Is your security department using Mall Cop tactics or a risk-based strategy? For most, I suspect your executive management’s perception prevails over the factual answer to this question. For others, behaving like the stereotypical Paul Bart character, played by actor Kevin James in the movie Mall Cop, is the perception that many people have of their Information Security Office (ISO). What is a Mall Cop style of security? It is when the ISO is perceived as a policy enforcer and a roadblock. The ISO promotes rules, checklists, and guidelines that appear to come out of a black box. In other words, many believe the ISO drives IT security because it benefits IT and not the organization as a whole.
“A risk-based security strategy is a cost-effective way to implement safeguards and ensure your organization is properly protected”
On the other hand, the risk-based approach uses strategies that take into account not only its requirements, but the needs of the business/enterprise. A key change management tool to implement a risk-based ISO strategy is to make the risks transparent and process-driven. The result is the ISO becomes more of a trusted advisor and partner. The risk-based strategy requires that business requirements and assessments take place to understand the current state and to develop the needs. It assesses the likelihood of an undesirable event with the potential impact of that event. Instead of being a Mall Cop style roadblock, the risk-based ISO is a solution designer and business enabler.
Most organizations today use risk management as one of their security tools. At the Orlando Utilities Commission (a municipal electric and water utility serving Orlando and the surrounding areas), our ISO and the information technology department uses risk management as a primary tool. We use risk management to “right size” security to the business and to do our best to deliver the Holy Grail of security officers’ everywhere-high “confidentiality, integrity, availability, and accountability.”
To put risk-based ISO strategy into context, let’s first describe the traditional methods. Typical security protocols use policies and guidelines for primary security enforcement and the tools/applications/hardware specified therein to automate security. These guidelines are usually created from a timeframe and situation that is dated as soon as the first new technology and/or malware is developed. The typical response by traditional ISOs is to clampdown on networks, circuits, routers, servers, applications, desktops, laptops, phones, etc. This knee-jerk reaction reduces the effectiveness of the tool, limits productivity, and is often a one-size-fits-all policy that spends money in the wrong places, and establishes policies for areas that are not at risk. The policies become more restrictive, the procedures become more cumbersome, and before long, the policy becomes so stifling the business/enterprise suffers, the main security goal is not achieved, and the ISO gets a bad name. The reputation of the ISO suffers, and the high- level security goal that the ISO aspires to is not achieved.
Now let’s talk about risk-based security strategy in terms of steps, considerations, and challenges to implement a security risk-based strategy in the organization.
Steps: Although there are many risk based frameworks that can be adopted, here are six simple steps for the risk based strategy based on Evan Wheeler’s “Security Risk Management” book, ed. 2011:
Considerations: Do you have restrictive regulatory requirements that drive most of your security efforts? Would your internal audit function be opposed to a risk-based approach vs. traditional “mall cop” methods? Are you getting high security value from your security investment? Does your program already have deep acceptance by your business? If the answers are yes, you may want to keep your current program. If no, then you should consider adopting risk-based security strategies.
Challenges: If this were easy, everyone would be doing it. Making the change requires persistence and common sense. For example, not all devices require the same protection. Not every department or business unit needs the same security. Role-based security is another example. There are more risks for an IT administrator than other administrators. Another challenge is that the security team needs expertise in developing a current state, a risk profile and an action plan to implement the risk-based strategy. Another hurdle to overcome is that project managers and engineers often want a security checklist as soon as possible, often before the risks are known. This requires a bit of change management and expectation setting. One final challenge might be how you help your internal auditors figure out how to do their jobs without relying solely on an ISO, COBIT, or PCI checklist. They need to understand risk profiles and how assessments were made. A risk-based security strategy is a cost-effective way to implement safeguards and ensure your organization is properly protected.