Opinion

Security Think Tank: Checklists are dead, long live risk-driven security

The key asset of most businesses is data. Data processed into information that enables companies to devise strategic and tactical decisions, create products and services and ultimately sell these to their customers.

Although each company is distinctive, the elementary rules of conducting the business, such as corporate governance, remain common. 

Information security, which I see as part of corporate governance, exists to protect the information assets from unauthorised access that could result in the information being revealed, modified or lost for good.

It is said that there is no 100% security, which is certainly true if the information needs to be accessed by at least one subject. Yet in a typical organisation, the information systems are accessed by multitude of people and other systems, which can be located inside the company building, connected to variety of networks or using different means of access.

The complex contractual relationships also require access to the information between partners. Defining and implementing the correct balance of controlling the access on network and application level requires mastering the fine art of risk management.

There are several legal, regulatory and corporate standards listing controls that organisations must or should implement to protect their information; SoX, ISO27001, NIST SP800-53 and PCI DSS, to name few. 

However, it has been proven again and again that a blind implementation of these controls does not prevent information compromise breaches. In many cases, the application of these standards leads to bloated security budgets with very little to show for it.

So what should CISOs do to appropriately support their companies by enabling secure access to information?

I strongly advise implementing a security architecture that is based on threat modeling, advanced penetration testing and, most importantly, created together with the business owners. These three components need to be part of the risk management decisions driving the level of controls protecting access to information. 

As every organisation is unique, the mix of controls is going to be different for each one of them.

To deliver this new concept, a refreshed business focused security approach is needed that will challenge existing security “checklists” to their core and implement true risk-based business security governance.


Vladimir Jirasek is director of research for the UK chapter Cloud Security Alliance (CSA) and managing director of Jirasek Consulting Services.

 

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in June 2013

 

COMMENTS powered by Disqus  //  Commenting policy