The Balancing Act
In reviewing my LinkedIn notifications I was wonderfully surprised to find an article written by Gideon T. Rasmussen, VCISO topic: Cyber-Security and Operational Risk Maturity. As soon as I saw it I was thinking this is center to our consulting business I better pay attention. So here we go.
Rasmussen's talks about U.S. Department of Commerce's, N.I.S.T. (National Institute for Science and Technology). For a great many of us in the IT security practice N.I.S.T. for years has been the go to "tool shed" for in-depth building blocks. Their publications can take you from the very beginning of .... What should I do? Where do I start? To a polished well informed presentation. N.I.S.T. has a great many publications and they are 100% free.
I do take issue with Rasmussen regarding this statement:
"There are no requirements for disaster recovery or business continuity. The card brands do not care if your business goes under, as long as their payment card data is secure."This is a nit, and can also be style but the point has to be made. Their are literally hundreds of best practices for disaster recovery and business continuity and they should be put to use, despite the lack of attention by card brands to advise this. Promotion of best practices is something we owe to the industry as a whole in our writings and presentations. Taking on the Card Brands for lack of attention to Rasmussen's legitimate concerns would do better as a separate article, another a day and time in my eyes. We're talking Cyber-Security and Operational Risk Maturity. At Integris Security we push all to stay focused. Good practice is too important to relegate to tomorrow's news. Let's keep it up front and worthy of continual presence and persuasion in our discussions in how to improve cyber-security and operational risk maturity.
In maturity level II, I love this discussion of controls and it reminds me of C.O.B.I.T., as well as the many information security joint forums held with ISACA in years past and their auditor/members. You gotta love the structure that these individual professionals have developed and the principles that they follow. This is a serious group of security professionals and we could all learn allot from them. Rasmussen then lays out the common controls read: GAP analysis, and Risk based deployment of controls, while not much new here he provides a great review. All solid material for a CEO and others within the organization to read and understand when weighing decisions on investment in the security program or cutting the fat off an already lean program. These decisions will not be easy ones for sure.
My own note here:
The Cyber-Security and Operational Risk Maturity discussions can not be left alone to the operational business units, departments or divisions of your company. These discussions need to expand and involve audit committee's at the board level and become a fluid ongoing discussions lead by the chair of the audit, technology and other important committees as the board and operational personnel try to achieve a balance of risk Vs reward and continue to build market value for the company's shareholders and investors.
In maturity level III, Risk Management, Rasmussen covers it nicely and I smiled as he stated:
"It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape."Nicely done Gideon T. Rasmussen, these words couldn't be truer. It also reminds me to tell our readers to remember that each organization has its own culture. Some are very risk sensitive and others not so much so. I often use Johnson and Johnson and Martha Steward Living as examples. Two great companies but their approach to security was night and day. Johnson and Johnson a security controls organization (almost war like) and Martha Steward Living a creative design firm. The cultures were completely different at the time of my interview with security personnel. Management of your and the company expectations are very important. Don't get ahead of your skates or you may get caught off balance. Knowing the culture of your organization is key and very important. Now that you have new security and risk management information in hand how do you operationalize it? The best advice is work with your team and leader and try to introduce incremental improvements to improve your organizations overall security/risk posture. This will work to your benefit for the short term tactical business operations as well as long term strategic planning for important improvements.
Your threat and vulnerability map will be constantly evolving, as targets and priorities come and go. The risk assessment report provides you with items for your to-do list. The report will show best practices and offer a target rich list for you to prioritize. Rasmussen I believe understands this and covers it nicely and provides some bonus points by laying out some bullets for a prospective slide deck to communicate your findings and setting some future objectives.
The Risk Register is a platform to inform and Rasmussen points this out clearly. Want to know more about your risk? The Risk Register is a place you want to go to identify, define, understand impact, respond, prioritize, and take notes. Its an invaluable tool given to us by the folks from project management.
Maturity level IV, Strong Risk Management, Rasmussen lays out a ten step program.
This information is a like having a great cyber-security road map. However, just like any road map their are going to be detours, accidents, potholes and your going to need the awareness, patience and skills to work around it all. If you follow the program laid out by Rasmussen you'll be in a better position to mitigate those great unknowns and navigate your way freely from obstructions.
1. There is appropriate separation of duties in the CISO’s reporting structure, such as reporting to the CEO, Chief Risk Officer or Board of Directors. When the CISO reports to the CIO, it is a conflict of interest 2. Cyber-security metrics, KPIs and KRIs feed into an Enterprise Risk Management program. 3.The CISO provides updates to the Board of Directors or similar executive group. 4.The cyber-security program maintains controls specific to line of business products, services and assets. 5. A process management program is in place, to include policy, an inventory and process risk analysis. 6. A fraud prevention program is in place, to include fraud risk assessments conducted by an independent third party. 7. An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis. 8.The organization leverages the Three Lines of Defense Model, with active support from operational management, risk management and compliance functions and internal audit. 9. Operational functions and lines of business are required to declare self-identified audit issues, with metrics in place to demonstrate the control environment is improving continuously 10. Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers
At Integris Security we say: you make it, we make it secure! We look forward to having these and many other important discussions with you and really enjoyed our read of Gideon T. Rasmussen's LinkedIn article concerning Program Maturity - Cyber-Security and Operational Risk Maturity and hope that you will too! Their is much to learn and many experiences to endure before we can truly say we're secure.
#Cyber-Security #HomelandSecurity #InfraGard #ISSA #ISACA #FFIEC #NIST
#Cyber-Security #HomelandSecurity #InfraGard #ISSA #ISACA #FFIEC #NIST
