Security chiefs urged to embrace risk

Chief information officers should be more strategic when shoring up enterprise systems

Chief information security officers were urged to take a more strategic approach to guarding corporate networks at a gathering of security leaders in Amsterdam this week. The current obsession with tactical issues raised costs and impeded business efficiency, they were warned.

Speaking at the start of its Security Forum EMEA in Amsterdam, Forrester Research principal analyst Jonathan Penn argued that CISOs need to create efficiencies through strategies like outsourcing, and then invest in tools to measure and report on these efficiencies in a way their chief executives can understand.

"CISOs are asking themselves 'how can I meet the challenges if I don't have the budget or skills in my team that I need?'," he said. "They should be looking at things that aren't too complex but can make a difference."

"CISOs' lack of influence comes from having to respond to every single security issue and not focus on projects which can help them gain influence," he added. "So they need to work more with business groups by setting up things like security steering committees to get buy-in for projects."

Quick-win projects may include ensuring application bugs are fixed during the development phase, a greater focus on staff training, and introducing a proactive scanning and patching system for system vulnerabilities, he added.

IT security chiefs are rarely afforded much time to flesh out business cases, so it is imperative they can convey their priorities succinctly, argued Andrew Strong, global security director of Unilever. Getting business backing for security initiatives required him to design processes which were "lightweight, understood and business-relevant".

He estimated that he is given "half an hour" to explain security priorities t o other executives. Unless he can do that, he "won't get into their diary," he said.

Strong added that executive sponsorship is vital for transformational risk management initiatives, but that establishing dialogue with key sponsors can be a long process. "You need to determine their risk appetite, but it takes some time – new personalities can come in, people change and priorities change with that," he said.

He also advised firms to create a decision-making framework to ensure all stakeholders are working to the same consistent definitions of risk. This can enable the business to manage risk themselves and only use the security department "as a trusted advisor in an exception", Strong added.

The ability to define security policies in terms of risk was gaining acceptance with the financial services sector, reported Jan Douw, a director in risk and security at banking giant ING. Colleagues are practised at assessing risks, and find it easier to assess the business impact of IT security when it is expressed in terms of risk, he added: "The better it is understood and managed the more growth can be achieved."

But there can be dangers when explaining IT risks to business colleagues, he warned. "As risk managers we need to try and find a way to interest and work with business managers," he explained. "But never accept responsibility for risk, that is the line manager's responsibility."

Douw added that security risk managers should follow existing processes - such as the Basel II Advanced Measurement Approaches (AMA) for operational risk - when they engage with the business, rather than inventing new risk management processes

In an opening keynote at the forum, Forrester analyst Thomas Raschke argued that although CISOs are beginning to appreciate the importance of risk management initiatives, many still ignore "the risk elements that are not obvious". He added that technology should only form a very small part of the overall security strategy.

"You need to understand business risk and tolerance, translate risk decisions into risk policies, codify those policies into processes, then support the processes with technology and people," he explained. "Technology should not take up most of your time; it's just a small layer between the processes and people. "

Forrester's Penn added that firms must include corporate as well as customer data in their data security programmes, as many firms underestimate the cost of intellectual property breaches.

"When you lose corporate data it won't get in the headlines but could be just as damaging and the controls you put in place should be the same," he explained. "There are a lot of compliance requirements looking at data protection and having a compliance framework to rationalise controls is important otherwise people spend recklessly on piecemeal solutions."