Matt Anthony, VP of Remediation Security Services at Herjavec Group shares his views on managing risk. Prior to joining Herjavec Group, Matt held numerous leadership positions focused in enterprise security programs, most recently at Alberta Health Services, a $14 billion, 115,000 seat enterprise.
Matt has been at the forefront of the information security practice for many years, building and implementing effective programs to govern and manage risk. He has developed and operated Security Operations Centres, led security incident response practices, created policy and governance frameworks, and implemented and operated digital investigation teams. Matt believes strongly in positioning information security as an enabler of business by promoting an architectural and risk-based approach to program development and management.
There is only one reason to implement a control, and that is to manage risk.
To fully understand the impact of control you have to be able to measure and evaluate risk. As information security leaders you will invest money on behalf of your business to improve its security architecture. But how do you truly know your risk is being managed?
Effective use of risk management in information security has two benefits.
First, it will allow you to make reasonable decisions about IT security investments and drive acceptance of new controls, which we can classify as risk management treatments. This will help position information security as a business enabler, and not solely as a cost centre.
Second, it ensures that fundamental risk management decisions are not withheld from business leaders and – puts risk accountability where it belongs. One of the things we often observe is that CISOs or their staff know about problems – risks – but don’t report them. Or they report them in a way that doesn’t promote decision making (complaining about funding is not risk management or risk reporting).
Consider the impact of a risk that you knew about, but hadn’t reported, becoming a major incident. Who is accountable?
Risk represents the likelihood of a threat and a vulnerability meeting. If you implement a control – a new network access control system for example – you have made a decision that the vulnerability has a credible threat and that the cost of the risk coming to bear as a security incident will likely have a higher cost than the control you’re implementing. Very often, information security leaders face pressure to implement controls without properly evaluating their risk management decisions.
Measuring the cost, which can be financial, reputational, or regulatory, can be difficult. Measuring the cost of the control over time, and its impact on business efficiency can also be extremely challenging. If leading an information security portfolio was easy, anyone could do it. You’re here to do the difficult.
We believe every information security leader should:
- Use a framework for reporting and managing risk, and understand where in the organization risk management decisions can be made.
- Use consistent and standard language and classifications.
- Integrate with the Enterprise Risk Management frameworks if they exist.
- Inventory and classify your assets – know the value of the information you’re protecting.
- Test and evaluate the vulnerabilities you have – you can’t effectively manage risk if you don’t know your vulnerabilities.
- Research and evaluate the threats and threat agents.
- Examine your existing controls and risk treatments.
- Calculate or estimate the risk.
- Within the risk management framework, determine the correct risk treatment (accept, avoid, mitigate or transfer)
- Choose the risk treatment that is the most effective and matches your company’s risk appetite. Be mindful of the total cost, including the wider impact on the business.
- Ensure that any risk management, like a new technology control, is effective at reducing risk.
While it’s challenging to fully explain the scope of Information Security Risk in a single post, many books have been written on the subject. We recommend IT Risk by George Westerman and Richard Hunter.
Herjavec Group can help your business develop a complete risk management framework. For more information on Herjavec Group’s vulnerability assessment and consulting practices please contact us.
Follow us @herjavecgroup