Implementing a Practical, Economical Risk-Based Information Security Program

It’s important to realize that it’s difficult—if not impossible—for companies of all sizes, not just those in the middle market, to negate their information security risk. Smart companies accept that there will be a breach eventually, and there’s a point at which you can’t continue to invest precious capital into preventing a security incident.

A more practical approach is to create an affordable, risk-based information security program by utilizing some readily available tools. Then, if needed, you can seek additional support from an outside advisor, who can recommend appropriate tests and solutions.

A Risk-Based Approach

When an IT breach makes headlines, the first response for many businesses is to identify the source of the breach and rush to make sure that particular breach can’t happen to them.

However, this often leads to an ongoing game of whack-a-mole because the culprits are constantly changing their techniques, tactics, and processes. What was once an effective breach technique could morph into a new strain of malware or another technique that wasn’t anticipated or even previously known, which still leaves you vulnerable.

How do you know what to protect and how to do it? A risk-based security approach can be an effective way to answer that question.

Six Steps

There are six steps to implementing this kind of strategy:

  • Identify your assets and related threats
  • Identify and prioritize risks
  • Implement foundational security controls
  • Build a security program
  • Develop a security improvement roadmap
  • Establish executive support and organizational engagement

Once implemented, these steps could help keep risk at acceptable levels, so that key stakeholders can respond quickly and appropriately to future threats.

Identify Assets and Related Threats

The first step is taking stock of the data you have and assessing its value and the threats that may impact it. The elements necessary to begin building an effective risk-based program include knowing:

  • The type of data you have
  • Where it resides
  • Its value
  • Who has access to it
  • The purposes for which you use it
  • Threats likely to materialize

A surprising number of organizations don’t know exactly where all their sensitive data resides.

Identify and Prioritize Risks

This approach encompasses the people, processes, and systems your organization interacts with. There are a handful of things to watch out for when identifying risk. Consider the possible objectives of an advanced persistent threat, a formidable threat actor, available attack vectors, and resources available for preventing a security breach. It’s also helpful to look ahead at emerging threats.

Once risks are identified, you can rank them based on operational goals, business risk tolerance, regulatory considerations, and other criteria dependent on what’s most important to the business. The processes that handle sensitive data must also be known and documented.

Knowing the sensitive data that exists and the possible threats likely to materialize, a risk prioritization scorecard is developed. Each risk is catalogued in a spreadsheet and its impact measured against whether confidentiality, integrity, or availability is compromised.

The individual risks are then plotted on an X-Y graph with “likelihood to occur” on the X axis and “impact of occurrence” on the Y axis.  The risk prioritization chart, derived from the risk scorecard, visually shows in the upper right quadrant, the most likely and impactful risks facing the business, and those that should be addressed first.

While this process is somewhat subjective and qualitative, take care to build it carefully because it will serve to inform executive leadership of the business risk profile.

Implement Foundational Security Controls

After the most likely and impactful risks are identified, you can begin to implement some foundational security controls and processes. These are basic in nature and should be implemented, operational, and regularly tested, regardless of business size or complexity.

Basic Foundational Security Controls
  • Perform due diligence with third parties and business partners that handle sensitive data on your behalf
  • Monitor critical systems where sensitive information resides
  • Implement encryption for critical business data
  • Have a comprehensive vulnerability management program to quickly identify and remediate vulnerabilities
  • Understand and define who owns information security within the business to assess the existence of proper governance
  • Train and educate all employees, especially those who interact with high-risk data, so they understand the associated risks and responsibilities as well as best practices to safeguard it.
  • Have a well-crafted incident response plan that’s tested annually

Build a Security Program

There’s an abundance of information available on how to build an end-to-end security program. Consider implementing the following areas:

  • Governance and management. Create an organizational structure, processes, and leadership to define, manage, measure and keep risk within agreed-upon levels.
  • Threat management. Understand your adversaries and their tactics, techniques, and procedures to put appropriate protections in place and to help anticipate future threats.
  • Security monitoring and analysis. Detect threats by utilizing even a rudimentary security log to monitor your system and perform analysis on its output. Quickly discovering an intruder can be the difference between a security incident versus a full-scale breach.
  • Incident response. Perform a mock incident event annually to test if the program works as designed. It’s important to have a defined process, engaged stakeholders, and native security logs available.
  • Data security. Protect against unauthorized access to sensitive data by making sure tools are installed and configured correctly.
  • Infrastructure security. Choose adequate systems designed to protect an internet-connected business.

In addition to these core components, input from internal audit, legal, and assurance departments must be considered and implemented so regulatory requirements and  compliance standards are met.

Develop a Security Improvement Roadmap

Using your risk prioritization scorecard and chart, select the risks that need to be reduced first. Typically, these are found in the upper right quadrant of the risk prioritization chart.

Reducing these risks may involve process changes, new or updated technology, or additional staffing. These remediation efforts become the basis for new roadmap projects. Costs, timelines, and staffing needs are identified for each project, along with estimated risk reduction values. Depending on the information security maturity of the business, the projects can be foundational, advanced, administrative or technical in nature. 

Establish Executive Support and Organizational Engagement

It’s the responsibility of information security leadership to clearly articulate to executive leadership the value of funding these projects and the corresponding risk reduction achieved.

One of leadership’s most important tasks is to secure appropriate funding and resources, a sometimes daunting obstacle that’s typically caused by ineffective risk discussions with executive leadership or a higher-than-average risk tolerance.

Information security should be a board room topic. If it’s not, find a supporter or executive sponsor for the information security program. Inform this sponsor of what information security is, what security is trying to achieve, and the expectations for the executive leaders so they can support security initiatives. Quantifying risk in terms of dollars spent versus dollars lost is an effective way to get the attention and support of executive leadership.

We’re Here to Help

Information security can be complicated to set up and difficult to maintain. By using a risk-based approach, costs can be managed without sacrificing effectiveness. Ultimately, the goal is to create a low-risk environment using just the right amount of capital and resources.

To learn more about how you can protect your organization with a risk-based program, contact your Moss Adams professional.