A plethora of articles have explored the challenges of
managing systems in a market downturn. The one common message is
that information security professionals have to do more with less -
to balance the rise in vulnerabilities and threat vectors with a
fall in budget. Hence the increasing requirement to work smarter
and develop holistic, sustainable approaches to information
security management.
One recent example of this cost-effective approach can be seen
in the development of business continuity plans in relation to the
swine flu pandemic. Plans produced for the SARS and avian flu
scares have been quickly revised by organisations and their
business continuity and disaster recovery teams to meet the current
challenge.
The identification, re-use and adoption of existing systems to
address new risk items and variants are areas which could be
further exploited across the control selection environment to
create a live security solutions catalogue.
Many risk assessment methodologies advocate the use of a control
selection stage which is predominantly generic. While this is a
useful starting point, mapping these generic control
recommendations to the specific control systems available to and
deployed within the organisation creates a live security "solutions
catalogue" which provides considerable value to the business on a
number of fronts:
1. It encourages the adoption of a consistent, standard
approach, which in turn leads to greater efficiency. This reduces
the cost overhead (via service duplication) when business units
adopt different methods of performing the same tasks. Common
examples whereby a simplified approach can be taken include
privileged account management and break-glass systems.
2. It facilitates the adoption of a positive, solutions-focused
culture. Armed with an up-to-date solutions catalogue, the risk
analyst is able to adopt a tailored, proactive, approach and engage
with IT and business owners to identify, evaluate and select the
most appropriate controls to mitigate related information risks.
The awareness of existing control functionality, contact points
(solution owners), specification, cost and licensing requirements
brings additional value to this risk assessment phase in terms of
timely, practical and consistent guidance.
3. A solutions catalogue promotes the opportunity to learn from
best practice examples across the business, leveraging these
functions from other groups, which in turn reduces the cost of
protecting company assets. Numerous groups within the organisation
will be adopting innovative control solutions, (eg, internal audit,
financial control, IT, compliance departments) and information risk
groups are very well positioned to identify, coordinate and share
the best of these approaches, as their work reaches across all of
the key business functions.
4. Having full visibility of the practical control space within
an organisation allows the IT risk department (in conjunction with
its IT and business partners) to carry out a gap analysis and
initiate a strategic approach to addressing any gaps in the
portfolio of required control options. This is a more cost
effective approach than allowing multiple groups within an
organisation to duplicate effort.
The above approach promotes a dynamic security resource model
whereby business units own control assets and their respective
management, while the information security team addresses a more
central risk assessment, consultancy and strategic governance
(policy, standards) role.
This results in a more effective distribution of resources, with
security requirements more closely aligned to and driven by the
business. It also results in more accurate cost projections as a
central security group no longer has to second guess how many
control resources will be required across the organisation.
Peter Drabwell is senior assistant vice-president, IT risk
& BCM at Credit Suisse Asset Management, Investment &
Private Banking. He is a member of the (ISC)2 European Advisory
Board.
Read more Security Zone articles >>