When the words “big data” and “security” are used together in a sentence, usually the word “problem” or “concern” is in there too. Security is often thought of as a prohibitor to using big data, since data of all types – including confidential – are being mixed together to generate analytics which can be used for better decision making. But while there are concerns, big data can actually be harnessed to improve security.

The job of the defender is to protect against an infinite number of attacks. However, a defender will always have a limited amount of resources with which to do this. The real job of the security practitioner is to prioritize remediation efforts by risk, so that the limited resources can be focused on addressing the greatest risks to the business.

A CISO usually has about 5-8 minutes in a board room to communicate risk in business terms. Not a lot of time, so CISOs must ensure they use their time wisely.

This is equally important when communicating risk to fellow co-workers. The task of getting everyone on the same page can be daunting and many CISOs will find the following situations very familiar when trying to communicate risk:

• Unable to schedule meetings with business units to discuss security initiatives
• Publish weekly security reports for months to find out that nobody has been reading them
• Present security awareness materials to a group only to receive blank stares instead of meaningful questions

Organizations worldwide are taking stock of their IT risk management plans. At one time, audits were the driving force behind companies examining their IT risk factors to ensure they were in compliance with industry mandates. Now, however, we are seeing a shift away from this kind of thinking. Risk management is no longer left solely to IT. IT risk management has made its way to the boardroom. C-level executives are taking notice of how IT risk can affect their organization from a business standpoint. As CISOs and their IT departments have known for a long time, technology alone will not keep an organization secure and protected.

In order to manage risk properly, organizations must understand the interrelationships between business systems. A business system is more than just technology; it’s the collection of people, processes and technology that serve a defined business function. This is why IT and business must work together: IT must know the systems and processes inherent to the business, while the business must understand risk from an IT perspective.

Organizations now have more choices available than ever before when it comes to outsourcing information management and IT resources to third party vendors.  Cloud computing and everything-as-a-service is becoming more popular, and business units in an organization are choosing to conduct more projects with third parties.  In an environment where third party services are seemingly easy to use and quick to deploy, an organization’s liability and risk landscape can increase rapidly and with limited oversight.

Governance of third party vendors, assessment of risk, and remediation of unacceptable risks is critical to protecting an organization’s reputation, business, and customers.  IT Security, Legal, and Finance all play an important role in identifying third party vendor projects involved in accessing and managing an organization’s sensitive data.  IT Security has a responsibility to assess the risk of third party vendor projects and to ensure that the highest risks are addressed.

Recommendations for Implementing a Practical Risk Management Program

This final post in the series will be some recommendations on “how” to implement a practical risk management in your organization. Check out parts one and two for the “why” and “what” of practical risk management.

Educate Decision Makers - Practical risk management relies on buy in for the decision makers. Only by understanding the process can they make good decisions about which risks are accepted and which need to be reduced. A clear definition of risk severity levels is critical to this step.

Integrate to Existing Processes – Chances are you already have processes in place to manage and control new and changing technology and processes. Tie risk management to these processes instead of making another meeting. A Project Management Office, purchasing process, technical review process, and change management process are all great candidates to integrate with risk management. Try to catch the potential risks as early as possible in the process. It’s much, much easier to change a process or technology before implementation.

IT compliance may not be as thrilling as the latest Tablet computer or Smartphone that users are bringing into your organization. However, for many organizations it’s the main driver for justifying IT security budgets used to protect the organization’s critical information that users have access to on those shiny new Tablets or Smartphones.

Admittedly, it’s fairly easy to secure funding for compliance. After all, you really don’t have a choice – you must comply with all the mandates, rules and regulations that are central to your industry. But, being compliant is just the start of what you must do. Adequately protecting that information means going beyond the minimum – which many are guilty of doing – despite everyone in IT recognizing that being compliant doesn’t equate to being secure. The problem is that justifying additional security budget beyond the compliance checklist remains a significant challenge for most IT departments.

Tackling Risk Management, One Step at a Time

In part one of the series I explained why information security programs should include practical risk management as a key component. In this post I will explain “the what” of practical risk management with some guidelines. The final post in the series will be “the how” of implementing practical risk management in your environment.

All information security programs are unique. The interactions of business, industry, and technology are too complex to prescribe a definitive framework for practical risk management. Instead, I will outline various guidelines and themes that any practical risk framework should contain.

Business Compatible – Above all, practical risk management needs to acknowledge and be compatible with the business it will protect. Most often the people who will accept the risk or approve the mitigation will not be security experts per se – however, they will understand the business and its goals/objectives. Presenting the risk by acknowledging business needs as well as security dangers will defuse the perception that security hinders the business instead of protecting it.

People in IT leadership roles, including CIOs and CISOs, typically only have five to eight minutes of time to present in Board of Director meetings, according to the latest research from the IT Policy Compliance Group. How CISOs use this time will often determine if they get the resources they need to effectively manage IT risk.

Adding to this pressure on CISOs is the fact that their boards are more attuned to security issues than ever before.  Recent data from Forrester Research notes that 70% of security decision makers report increased executive awareness of IT security as a result of high profile attacks and breaches.  So now, in less than 10 minutes, CISOs need to manage interactions with the board to focus on the most critical issues while avoiding distractions from what senior executives may have read about or heard regarding cyber-attacks.  As a security leader, how do you maintain their focus on the issues that matter, and walk away from the board meeting with the resources or approvals you need to manage IT risk for the organization?