Post on 21-Jan-2017
Drive Your Business
Proactive IT Security and Risk ManagementNine effective strategies to face growing threats
2 ©2015 WGroup. ThinkWGroup.com
As IT security threats grow, companies need to develop more effective strategies to
manage risks and prevent breaches. Yet despite the increasing risks, many companies lack
comprehensive plans and procedures that can help them minimize the consequences of
threats. By taking a more proactive stance and making IT security and risk management
an integral part of the business, companies make their systems, applications, and
services more secure while driving growth and gaining a competitive advantage.
Introduction
The consequences of risk
Today, almost every company depends on IT services and applications for a variety of critical
functions. No business can afford to ignore the threat of an IT security breach or other
incident. Application downtime can result in multi-million dollar losses and data theft can
lead to damaged reputations, lawsuits, and significant fines. As rates of cyber-attack climb
to record highs, companies must take a more proactive
stance towards security and risk management.
The importance of a proactive stance
Many companies take a reactive stance to IT security.
They implement basic security, complying with regulations
and providing a baseline defense against attacks, but do
little else. By taking a more proactive stance, one that
evaluates all potential risks, prioritizes critical systems and
chance of attack, and actively manages and evaluates
risk in the organization, companies can gain a competitive
advantage and create a safer, more stable IT environment.
This paper will discuss in greater detail some of the major challenges in IT security risk
management and nine ways your company can be more proactive and effective.
3 ©2015 WGroup. ThinkWGroup.com
Challenges faced in risk managementThere is an increasing sense of angst across boardrooms and IT departments about
security and risk management. Many companies know that one major breach could
lead to millions in losses and damage to reputation, but they aren’t sure about the most
effective way to deal with the problem. As the number of business functions depending
on IT systems increases, so too do the number of attacks. Businesses must find more
effective ways of facing these threats and integrating security into the entire company.
The high costs of downtime
The IT department has become one of the most critical components of practically every
business. Communications, data, productivity, customer service, and revenue generation
can all be greatly affected in the event of a breach or other incident. Companies need to
take this into account when developing their risk management and security strategies.
The growing consequences of IT risk
For all Fortune 1,000 companies, the
average total costs of unplanned application
downtime ranges between $1.25 billion and
$2.5 billion each year with infrastructure
failure costing up to $100,000 every hour.1
Downtime can have a major negative impact
no matter the size of your business.
Loss of sensitive information
Most businesses store large volumes
of sensitive data on their servers.
When attackers steal or destroy that
information, serious repercussions can
ensue. Businesses that hold customer
credit card or other personal information
can face lawsuits, fines, and damage to
reputation that can be significantly larger
than the direct costs of an attack.
4 ©2015 WGroup. ThinkWGroup.com
Risk can affect all parts of an organization, and every element should be considered as
part of a whole. However, many SMEs manage risk in silos and don’t have an integrated
approach to risk management across the organization. This allows for less cooperation
among employees and between departments, making risk strategies less effective. If too
many resources are devoted to reducing risk in one area while diverting resources from
another, the net outcome could be no risk reduction, or even increased risk for the company
as a whole. Risk mindfulness must be infused throughout the company, and a strategy
should be in place to develop comprehensive systems for managing all forms of risk.
No integrated approach to risk management
5 ©2015 WGroup. ThinkWGroup.com
Effective, proactive IT security and risk management must involve the entire company,
not just InfoSec specialists and not just the IT department. With a cohesive program that
covers people, process, and technology across the business, companies can significantly
reduce risk in a cost-effective way. Below are nine ways to form more proactive IT
security and risk management strategies that encompass the entire company.
Nine steps to more proactive risk management
Agree on risk appetite1The first step in developing more effective IT security and risk
management strategies is agreeing on a risk appetite. It is
important to talk to all major business leaders within
the company to decide on priorities, make cost/
benefit analyses and figure out what systems are
mission critical, how long the company can afford
to do without applications or services, and what
the business continuity plans must account for.
Deciding on these priorities early on and figuring out
how secure IT really needs to be will help form clear
guidelines for security and risk-management efforts.
6 ©2015 WGroup. ThinkWGroup.com
Take a full risk profile2After making a baseline determination of a company’s risk appetite, you need to enumerate
potential risks to IT security, the impact of various scenarios, and current security
policies, systems, and procedures. This allows the company to better understand what
its security strategies need to accomplish and helps prioritize efforts and resources.
Start by asking questions
Talk to consultants, colleagues, experts, and others inside and outside the company.
What are the most common threats, what systems are vulnerable, and are what the best
means of preparing for those risks? Learn how vulnerable your industry is as a whole and
what the relevant risks are for companies in that industry. This helps form an overview
of potential risks and which issues to address in risk-management strategies.
Use risk modeling
Risk modeling can be extremely effective in helping decide how to
improve IT security. Companies should constantly be working to
refine risk measurements and modeling to facilitate
a more complete analysis and evaluation of various
risk scenarios. Investing time and financial resources
into this process can provide great insight into what
areas need more work and where efforts should be allocated.
Examine technologies
The technology your company uses must be evaluated to determine its potential to increase
risk. Don’t take anything at face value. Look at the open-source software the company uses to
determine whether it is free from malicious code and is built securely. Also examine the software
and systems developed in-house to make sure they meet the company’s policies for security.
Investing time and financial resources into risk modeling can provide great insight into what areas need more work.
7 ©2015 WGroup. ThinkWGroup.com
Make the risk profile comprehensive
It is important to create a comprehensive risk profile that takes into account a wide variety
of scenarios that could involve employees outside the IT department. Also take into
account vendor and supplier relationships during this process. With a greater number of
IT services being outsourced to third parties, it is important to ensure that these vendors
adhere to company policies and can properly protect systems and information.
Don’t ignore non-financial consequences
Although the financial impacts of a breach or other
incident can be great, they are not the only concern.
Political and reputational impacts should be considered
with due weight when forming an accurate risk profile.
These factors can greatly influence the success of the
company and the success of those who work there.
Regularly review risk profile
The world of IT is constantly evolving and many of the security strategies that
worked five years ago are obsolete today. Risk profile should be regularly reviewed
and revised to account for changing technologies and emerging risks.
8 ©2015 WGroup. ThinkWGroup.com
Differentiate perceived and inherent risk3
One key step in developing an accurate, effective risk profile for your organization is
differentiating between perceived and inherent risk. This can help the company better
identify real threats and focus on the initiatives that will have the greatest impact.
Perceived risk
These are the items that you believe
could be a risk, but actually may not be
significant. An example of this would be a
backup generator not being able to last for
several days in the event of a power outage.
Although it is possible for this to happen
and to adversely affect the company, it is
unlikely that the power will be out for such
a long time, and the costs of ensuring that
this does not occur are too great to justify.
Inherent risk
These are the items that are serious, likely
risks. For example, a company in the financial
services sector has an inherent risk of
attackers attempting to access their servers.
This is a risk that is present just by the very
nature of the industry. These are the risks
that a company must discover and allocate
enough resources to protect against.
Learning to differentiate between these
types of risk can be extremely beneficial in
developing more effective IT security and risk
management strategies for an organization.
It is important to remember that no company
can fully prepare for every risk. Given limited
time and resources it is important to focus on
those risks that will have the greatest negative
impact and that are the most likely to occur.
9 ©2015 WGroup. ThinkWGroup.com
Establish a budget and allocate resources
Spending on IT security and risk management can be difficult to explain. Given that it involves
preparation for possible outcomes, rather than work toward more tangible goals, it is often
hard to come up with a sensible, justifiable budget. The truth is, every company could spend
more on security and risk management and be better protected for it. The key is to find
the perfect balance that aligns spending with your company’s risk profile and appetite.
4
Base the budget on risk profile
A company’s general risk profile can be used to
set an appropriate budget. Taking into account a
company’s size, industry, risk appetite, and other
factors helps determine how much risk the company
will be facing and what a reasonable spend could
be. Develop a metric to balance potential risks with
the costs associated with reducing those risks. By
basing the budget on real statistics, spending can
be more easily justified to others in the company.
Decide on in-house or third party solutions
There are many third party IT security and risk
management vendors that can provide a wide range
of services, including forensics, assessments, disaster
recovery, and penetration testing. These services can
greatly improve the security of a company with limited
resources to invest in hiring specialized personnel.
Third party services can improve the security of a complany with limited resources.
10 ©2015 WGroup. ThinkWGroup.com
Identify actionable steps to reduce risk
Proactive IT security and risk management means taking
actionable steps that will have a measurable impact on a
company’s security. These steps should go beyond a basic
reactive stance that focuses on putting out fires that have
already started. By taking information security into your own
hands, risk can be reduced in a better, more cost-effective way.
Examples of proactive steps include:
5
Pentration testing
Often, there’s no way to know how secure a
company really is until it is subject to attack. All
companies should regularly have an InfoSec
professional conduct a full battery of penetration
tests to overcome this problem. By simulating
real-world attack scenarios, testers will help
identify weak spots in IT security and provide a
better overview of what works and what doesn’t.
Active virus and malware scanning
IT should regularly perform automatic and
manual reviews of a company’s servers and
workstations to ensure that there are no viruses
or other malware present. This helps reduce
the risk of attackers intercepting information,
APTs, and other potentially serious threats.
Test phishing attacks
Although this can be considered part of a more
general suite of penetration testing, testing
against phishing attacks is so important it
deserves its own category. Phishing attacks
are one of the most common ways attackers
gain unauthorized access to systems. A simple
employee mistake can have devastating
consequences. By performing a simulated
phishing attack, you can gauge how prepared
the company is for this scenario and identify
ways that current policies can be improved.
Taking a proactive stance toward
IT security involves paying close
attention to the InfoSec, IT, and industry
communities. By learning about new
threats, modern countermeasures,
and other relevant news, companies
can be more confident that they are
prepared for what’s out there.
Monitor the community
11 ©2015 WGroup. ThinkWGroup.com
Implement training programs
The most experienced InfoSec professionals using the most advanced technology can’t
prevent successful attacks if other employees in the company don’t understand basic security
concepts. Most breaches occur because an employee didn’t follow protocol or made a small
mistake. Phishing attacks, which rely on under-trained individuals sharing their login credentials,
are one of the most common ways breaches occur, but they don’t work if the potential victim
is informed. That’s why implementing a comprehensive training program is a critical part of
any IT security strategy. By arming employees with knowledge to avoid threats and adhere to
company security policies, you can greatly reduce risk in a significant and cost-effective way.
6
12 ©2015 WGroup. ThinkWGroup.com
Make risk management a key business function
Most business leaders see security and risk management as a cost center. Although they may
view it as a necessary expense, they see it as low value nonetheless. This often makes it difficult
to get the required resources allocated to projects that make IT systems more secure. This line of
thinking is flawed. In reality, risk management is a key business factor, something that can provide
a competitive advantage and drive shareholder value. In this light, IT security and risk management
should be a core business function, led not by a technical head, but by a business executive.
Some key ways security and risk management drive business goals:
7
Security improves service
When websites, applications, and other IT services go down in the wake of security breach or
other incident, service suffers. By reducing risk, companies
improve the reliability of their service and build a better brand.
Security improves trust
In light of the drop in stock prices following recent attacks
on Target, Sony, and Anthem, there is little doubt that
security breaches affect the way companies are seen.
Inadequate IT security can severely damage the public’s
trust in a business, causing sales to fall, stock prices to
decrease, and shareholders to lose faith in management.
Security generates revenue
Although security might not generate revenue in a traditional sense, it can provide
a net positive financial return on investment. When servers supporting a revenue-
generating website go down during a DDoS attack, there will be significant losses
for the company. If security measures are in place that prevent the server from
going down, the company is able to generate revenue it could have lost.
13 ©2015 WGroup. ThinkWGroup.com
Learn more about joining of of these industry groups at http://www.isaccouncil.org
Learn more about Soltra at https://soltra.com.
Learn from others8No company needs to face mounting security risks alone. There is a wealth of
information about new threats, defense measures, and other InfoSec topics
available to companies. This security intelligence can tilt the scales in your favor
and provide valuable insight into what strategies should be put in place.
Some ways to share information with others:
Use established standards
Structured Threat Information eXpression (STIX) and the Trusted Automated
eXchange of Indicator Information (TAXII) provide companies with a structured
means of automatically sharing threat information with each other.
Join industry groups
Industry groups that are part of the Information
Sharing and Analysis Centers allow members to gain
up-to-date warnings about relevant security threats.
Third party assistanceThird parties like Soltra provide automated threat-
intelligence solutions to companies around the
world, allowing them to gain instant, regularly
updated information about current security threats.
14 ©2015 WGroup. ThinkWGroup.com
Make information security and risk management a permanent part of the company
9
No IT security and risk management strategy is finished. Companies should not expect to implement
perfectly secure policies and systems overnight, but rather strive to constantly make iterative
improvements. Information security and risk management need to be in the DNA of every employee
at the company. It is not a onetime event, but should be adapted into every business process.
Assign a risk management executive
Risk management is a critical business function, and requires a dedicated executive to
oversee it. The risk management executive should report directly to the CEO or COO
and actively work to analyze risk within the company, devise strategies to reduce it, and
oversee the implementation of those strategies. Having an executive with this function
helps companies form more cohesive, consistent risk-management strategies.
Make InfoSec and risk management part of major decisions
Everything from mergers and acquisition, to hiring
and infrastructure should take risk and security
into account. Every change in a company affects
the risk profile. By considering the implications
in this light, you can avoid decisions that
increase risk beyond a company’s appetite.
15 ©2015 WGroup. ThinkWGroup.com
Review and revise strategies
Plans, systems, and procedures should be regularly reviewed, and those that are
found inadequate should be replaced. This helps ensure that strategies that aren’t
working don’t continue well past their usefulness. It also increases the effectiveness
of risk management efforts and can reduce costs. Good risk strategies aren’t static
but constantly adapt to changing technologies and realities within the company.
If you’d like to learn more about this and
other issues facing the modern CIO,
visit http://thinkwgroup.com/insights/.
16 ©2015 WGroup. ThinkWGroup.com
References[1] http://devops.com/2015/02/11/real-cost-downtime/
Drive Your Business
Founded in 1995, WGroup is a boutique management consulting firm that provides Strategy,
Management and Execution Services to optimize business performance, minimize cost and create
value. Our consultants have years of experience both as industry executives and trusted advisors
to help clients think through complicated and pressing challenges to drive their business forward.
Visit us at www.thinkwgroup.com or give us a call at (610) 854-2700 to learn how we can help you.
301 Lindenwood Drive, Suite 301 Malvern, PA 19355
610-854-2700
ThinkWGroup.com