Identifying enterprise security risks
What color is your information risk today?
By Jim Hurley | CSO | Published: 11:58, 25 January 2011
Information is the lifeblood of business. Valuable corporate data is available to employees, business partners and contractors. It is accessed locally, in the cloud and virtual environments, providing instant access to non-public sensitive information. Making matters worse, employees typically do not ask permission to load third-party software or applications on their laptops and mobile phones, devices that are connected to their companies' networks and data stores.
The convenience and business value of "information anywhere" comes with risk. While companies want to support devices, software and applications that enable employees to get the job done, they must do so while carefully monitoring and managing business risks related to the use of information and IT.
One solution for information anywhere is "information security everywhere," but this is impractical and unachievable. Organisations need to determine when convenience results in too much risk and what should be done to limit risks. This is a major challenge, especially when you consider that most organisations cannot answer the simple question, "What is our information risk today?"
Related Articles on Techworld
Only 8 percent of organisations can determine what the color of their information risk is today within a day or the same week, according to benchmark research on the state of business risks related to the use of information and IT conducted by the IT Policy Compliance Group. Furthermore, 2 percent of organisations cannot answer this question at all or the response is delayed by nine months or more; 70 percent of organisations are unable to answer this question within three months and 20 percent take between one week and three months. Poorly defined business risk, inadequate gathering of information, ill-equipped reporting systems and un-prioritized controls contribute to these unreasonable delays.
Getting priorities right
The IT Policy Compliance Group found there are significant differences in how well organizations are prepared to meet the challenges of information anywhere and anytime and in the ability to define and manage the business risks. Organisations experiencing the lowest business risks related to the use of IT can answer the color of their information risk today because they have the right organizational processes, controls and reporting systems in place.
These organizations begin by defining the business risk from the top down and then prioritising them. Risks arise from day-to-day execution of business functions; they include managing cash, sourcing risks, accounts that are deceivable, credit risks, legal risks, market concentration risks, regulatory risks, competitive risks, reputational risks and operational risks.
The most successful organisations are utilising the skills of multiple departments and functions to both define and manage business risks related to the use of IT. Wider participation of more stakeholders enables organisations to prioritise the external pressures, the business risks, identify the core organisational risks related to the use of information and IT assets and use reporting systems to more effectively monitor, manage and balance tradeoffs between policies, risks, exceptions and controls.
With respect to IT controls and operational processes, companies with the lowest business risks employ several unique practices. Nearly three-quarters of these organisations routinely classify sensitive information assets and identify IT assets with access to sensitive information. Nearly two-thirds consistently maintain an inventory of the locations of sensitive information, detect or prevent the leakage of sensitive information and use information security controls to protect sensitive information.
In addition, the IT Policy Compliance Group found that the rate at which risks and controls are evaluated is very different among organisations. There is a direct relationship between outcomes and the elapsed time between the assessments of risk and controls. The organisations with the lowest risks implement very frequent risk and controls assessments with very short elapsed times between assessments (weekly to bi-monthly), while the rate is quarterly or less frequent among organisations experiencing worse outcomes.
Automation drives better outcomes
The level of automation to gather information and produce reports on information risks and controls is also directly related to achieving better outcomes. Simply put, the worst performing organisations have the least automated procedures and the best performers have the most automated procedures to gather information and produce reports focusing on operational, financial, reputation, headline and brand risks related to the use of IT.
Organisations with the lowest business risks automate the collection of information around IT controls and organisational processes and deliver customisable reports connecting the dots between business risks and the use of information and IT. The IT Policy Compliance Group found that 80 percent of the procedures to gather information and produce reports about the business risks related to the use of information and IT assets are automated by organisations experiencing the best outcomes.
In contrast, organisations with the most loss or theft of customer data, the most business downtime and the largest difficulty sustaining audit results are automating just 11-12 percent of the procedures to gather information and produce reports.