2. Get a handle on asset value
To manage risk, it's not enough just to know how serious a threat is, says John Meakin, group head of information security at Standard Chartered Bank. You also need to understand the probability of that threat actually being exploited in your environment, the value of the assets that are the targets of the threat and the likely effect on your business. Only then can you really know if the cost involved in mitigating a threat is justified, he says.
That approach has allowed Standard Chartered to do things like defer installing security patches -- even critical ones -- on some systems because it decided that the effort was not worthwhile, based on the actual risk.
Similarly, it has allowed the bank to permit unauthenticated access to some of its internal systems because there are enough compensating physical security controls.
"Once you use a risk-driven approach, it actually is incredibly liberating. It allows you to challenge some of the long-held rules" related to the use of security tools, Meakin says.
Core to this approach is the need to understand asset value, he says. Not all IT systems are created equal, and not all of them present the same risks or have the same level of exposure to threats. Therefore, it's important to assign a business value to the IT assets in your organization, says Meakin.
Asset value is based on factors such as the criticality of applications or the services supported by an IT asset and its interdependencies with other applications and infrastructure components, he says.
For instance, an Active Directory server that supports multiple business-critical applications would likely be considerably more important than a server running an e-mail application, from a business continuity standpoint.
3. Implement a control framework
Once you have a good idea of the desired state of security, choose the most appropriate set of technology, management and process controls to help you get and stay there.
Perhaps the most efficient way of doing this is to implement an internal framework that maps business and risk management requirements to their appropriate IT controls, says Eric Litt, chief information security officer at General Motors.
"In order to make good decisions, you need to have a framework for your security program," he says.
Standards such as the Cobit control framework, ISO 17799/27001 and COSO can help IT organizations identify the controls that will help them meet their particular business needs and comply with regulatory requirements, Litt says.
"You get every single tool underneath the sun," he says. "That's what these frameworks provide for you."
The ISO 27001 and 27002 frameworks can help a company develop policies, procedures and processes for meeting its risk management and compliance objectives, Litt says. They also provide a list of technology controls that need to be used to meet those objectives.
For example, the frameworks can be used to decide the appropriate tools to meet an internal data access control objective or to comply with a statute that requires data logging and auditing capabilities.
A formal framework gives companies a way to quickly assess how effectively their controls are working, because each security control is mapped to a specific business or compliance objective, says Marc Othersen, an analyst at Forrester Research.
"It shows why a control is there in the first place. It links security controls to IT risks and shows what would happen if a particular control fails," says Othersen. "The IT risk management goal is to put context around a control failure."