Every so often, IT security professionals find themselves in the spotlight after a security crisis. Delighted with the attention the incident brings after a successful resolution, they will submit proposals for improvement which you may approve if the problem and its resulting media circus are painful enough. Making new changes to processes in this way is to no one’s benefit however: they are borne of emotion, not sound logic. A more holistic long-term strategy would be to find the points of failure and propose institutionalizing risk management in the company’s culture instead of patching holes piecemeal.
Security Should Be Part Of Your Company DNA
Recognizing information security as an integral component of each portion of your business is difficult at first. However, subconsciously thinking of security can help you to build it into business activities such as budgeting, strategic planning, marketing, human resources and purchasing, effectively making it a zero-cost activity. Such a process can stabilize the oft-encountered cycle where your IT is understaffed and somewhat unprepared (or perhaps you have no security staff or plan at all) and scrambling in response to a crisis, followed by some encouraging but short term improvements, ending soon thereafter with little to no attention given to information security once again. This rollercoaster of service ineffectiveness is one which you need to avoid as it encourages wasteful spending and unpredictable staffing.
Risk Management Is A Process, Not An Accident
Managing risk within your business’ regular processes is a simple loop forcing everyone to evaluate risks, and makes one consider how to reduce actions and behaviours deemed to be unacceptable. You should include some or all of the following steps in your processes. Combine or omit steps as necessary:
- Define security requirements – state the desired outcome as a policy, or solution following a recent incident
- Implement controls – who will be responsible, and how will results be reported?
- Inventory assets – know what needs attention, and how large your workload will be
- Identify threats – what are known problems or security holes? Are there possible “known unknown” risks?
- Assess vulnerabilities – look at your known security problems, and rank them based on criticality
- Evaluate compliance – are legal and industry guidelines being adhered to?
- Propose changes – suggest ways in which security concerns can be rolled into existing processes to save time and money, and to avoid omissions
- Analyze effectiveness of the changes – using a cost/benefit analysis, determine if the improvements are feasible, or is there an easier way to have the work done?
- Approve the development and deployment of new requirements. Communicate new process(es) to the organization, and net benefits that will follow.
The process of being involved with security-specific policies requiring your approval will make you more aware of what IT is doing to protect the company. You will work more closely with IT staff, and a hidden benefit may be noticing other areas of improvement in IT beyond just security. Even if your employees are not thinking “protect the data”, instilling this culture of managing data responsibly will reduce panic when an actual security violation occurs, and a more effective response will be mounted to recover from the event.
Security Fixes May Lead To Other Wins
In order to reduce the amount of effort in your organization you should add a risk management component into your existing processes and projects. Examine interdependent systems between IT and Legal, Finance and other departments. Do not apply a single cookie cutter solution to all of your systems, since applying one solution across dissimilar programs will leave gaps. As you prepare documentation for a risk review or for approvals in the annual budget, you may discover potential problems and opportunities to fix them. Deal with each discovery quickly, and your security posture will gradually tighten up. If a company is not large enough to warrant annual meetings of department heads with IT staff, a Virtual CIO service will be of help.
Security Policies Should Not Be Stagnant
Recent information security breaches should have you looking at all aspects of your business, no matter how inconsequential an action may seem. Once a policy has been set in place your work is not finished – you must regularly review and update processes as your staff and technology changes. If we look at the recent British Columbia and Yukon Ministry of Education data loss of over 3 million staff and students’ personal information there was no malicious intent or outside threat. A well-intentioned backup policy was put in place from 2011 but quickly became a risk; by today’s standards a review of the data storage policy should have required the encryption of the data, not to mention a more secure storage facility than a cardboard box in a file room. Such inaction has brought about a wasteful expenditure of people and time resources, and money, in the hunt for the missing data.
As you build an IT security management and review process into annual meetings and the corporate culture, you will find your awareness of how the company is working grows, and possibly give you a fresh perspective into other process improvement opportunities. It gives the opportunity for final sign-off and rational, well-informed decisions to be made.