Ever try to take a long trip without a GPS or old school roadmap? Think about the prospect of travelling cross country with no reference for direction…reacting to every stretch of highway and turn in the road. Believe it or not, this is how some organizations manage information security.
Organizations that want to effectively manage IT Risk face a variety of challenges. As the threat profile of malicious actors continues to evolve, it is easy to get trapped in a reactive posture. One Ransomware outbreak can lead to a series of related tactical actions with the hope of avoiding a similar outcome in the future. While these “events” can help focus attention and funding on the need to improve specific areas of an information security program, the long-term outcome usually returns to an ad-hoc risk management approach. The real key to effectively managing risk is developing and managing to a defined plan.
There is an old saying that people don’t plan to fail…they just fail to plan. The same ideology can be applied to organizations that want to protect critical information resources. It all starts with developing a plan (to avoid failure). While this may sound like a monumental task, there is good news as the IT Security Industry has established frameworks for effectively completing this task. Consider the CIS or ISO frameworks as a starting point for developing a plan. The controls for each are readily available as downloads and using them to conduct a “gap” assessment on the organization is a great way to develop priorities and a plan for the future.
There are several advantages of developing a plan that is founded on established frameworks:
With an established security roadmap, the process of identifying and effectively mitigating risk shifts from reactive to proactive. This change empowers leaders to manage expectations and outcomes for an effective IT Risk management program. For organizations (and leaders) that have existed in a “firefighting” reactive mode, this change will take time. It’s easy to revert to old behaviors that are often triggered by a security event. Not to worry, as this transition is a key factor for improving planning, accountability, and outcomes. Think about the road trip the example at the onset of this article. Even with a trip mapped out, there is still great potential for wrong turns along the way.
But with the destination in mind, it’s easy to evaluate the outcome and know if the target has been achieved. It’s important to stay the course, evaluate progress, and adjust as necessary. Reassess performance to plan with annual assessments; update executives on a periodic basis so that they understand the impact and value of the dollars invested.