A plethora of articles have explored the challenges of managing systems in a market downturn. The one common message is that information security professionals have to do more with less - to balance the rise in vulnerabilities and threat vectors with a fall in budget. Hence the increasing requirement to work smarter and develop holistic, sustainable approaches to information security management.
One recent example of this cost-effective approach can be seen in the development of business continuity plans in relation to the swine flu pandemic. Plans produced for the SARS and avian flu scares have been quickly revised by organisations and their business continuity and disaster recovery teams to meet the current challenge.
The identification, re-use and adoption of existing systems to address new risk items and variants are areas which could be further exploited across the control selection environment to create a live security solutions catalogue.
Many risk assessment methodologies advocate the use of a control selection stage which is predominantly generic. While this is a useful starting point, mapping these generic control recommendations to the specific control systems available to and deployed within the organisation creates a live security "solutions catalogue" which provides considerable value to the business on a number of fronts:
1. It encourages the adoption of a consistent, standard approach, which in turn leads to greater efficiency. This reduces the cost overhead (via service duplication) when business units adopt different methods of performing the same tasks. Common examples whereby a simplified approach can be taken include privileged account management and break-glass systems.
2. It facilitates the adoption of a positive, solutions-focused culture. Armed with an up-to-date solutions catalogue, the risk analyst is able to adopt a tailored, proactive, approach and engage with IT and business owners to identify, evaluate and select the most appropriate controls to mitigate related information risks. The awareness of existing control functionality, contact points (solution owners), specification, cost and licensing requirements brings additional value to this risk assessment phase in terms of timely, practical and consistent guidance.
3. A solutions catalogue promotes the opportunity to learn from best practice examples across the business, leveraging these functions from other groups, which in turn reduces the cost of protecting company assets. Numerous groups within the organisation will be adopting innovative control solutions, (eg, internal audit, financial control, IT, compliance departments) and information risk groups are very well positioned to identify, coordinate and share the best of these approaches, as their work reaches across all of the key business functions.
4. Having full visibility of the practical control space within an organisation allows the IT risk department (in conjunction with its IT and business partners) to carry out a gap analysis and initiate a strategic approach to addressing any gaps in the portfolio of required control options. This is a more cost effective approach than allowing multiple groups within an organisation to duplicate effort.
The above approach promotes a dynamic security resource model whereby business units own control assets and their respective management, while the information security team addresses a more central risk assessment, consultancy and strategic governance (policy, standards) role.
This results in a more effective distribution of resources, with security requirements more closely aligned to and driven by the business. It also results in more accurate cost projections as a central security group no longer has to second guess how many control resources will be required across the organisation.
Peter Drabwell is senior assistant vice-president, IT risk & BCM at Credit Suisse Asset Management, Investment & Private Banking. He is a member of the (ISC)2 European Advisory Board.