IT compliance may not be as thrilling as the latest Tablet computer or Smartphone that users are bringing into your organization. However, for many organizations it’s the main driver for justifying IT security budgets used to protect the organization’s critical information that users have access to on those shiny new Tablets or Smartphones.

Admittedly, it’s fairly easy to secure funding for compliance. After all, you really don’t have a choice – you must comply with all the mandates, rules and regulations that are central to your industry. But, being compliant is just the start of what you must do. Adequately protecting that information means going beyond the minimum – which many are guilty of doing – despite everyone in IT recognizing that being compliant doesn’t equate to being secure. The problem is that justifying additional security budget beyond the compliance checklist remains a significant challenge for most IT departments.

Tackling Risk Management, One Step at a Time

In part one of the series I explained why information security programs should include practical risk management as a key component. In this post I will explain “the what” of practical risk management with some guidelines. The final post in the series will be “the how” of implementing practical risk management in your environment.

All information security programs are unique. The interactions of business, industry, and technology are too complex to prescribe a definitive framework for practical risk management. Instead, I will outline various guidelines and themes that any practical risk framework should contain.

Business Compatible – Above all, practical risk management needs to acknowledge and be compatible with the business it will protect. Most often the people who will accept the risk or approve the mitigation will not be security experts per se – however, they will understand the business and its goals/objectives. Presenting the risk by acknowledging business needs as well as security dangers will defuse the perception that security hinders the business instead of protecting it.

People in IT leadership roles, including CIOs and CISOs, typically only have five to eight minutes of time to present in Board of Director meetings, according to the latest research from the IT Policy Compliance Group. How CISOs use this time will often determine if they get the resources they need to effectively manage IT risk.

Adding to this pressure on CISOs is the fact that their boards are more attuned to security issues than ever before.  Recent data from Forrester Research notes that 70% of security decision makers report increased executive awareness of IT security as a result of high profile attacks and breaches.  So now, in less than 10 minutes, CISOs need to manage interactions with the board to focus on the most critical issues while avoiding distractions from what senior executives may have read about or heard regarding cyber-attacks.  As a security leader, how do you maintain their focus on the issues that matter, and walk away from the board meeting with the resources or approvals you need to manage IT risk for the organization?