What you need to know about information security risk management
In my line of work, information security risks have proven to be some of the biggest cybersecurity risks we’ve dealt with. A few months ago, I was meeting a client about updating their information security risk management strategy and I could see that I was not having much luck convincing him about a compliance issue we were having. For the sake of this post, let’s say his name was Tom.
“Tom”, I remember saying, “Compliance is not a luxury for a company of your size and in the industry you work in. It’s absolutely essential because you deal with customer information on a daily basis. Information security is one of the most vulnerable elements of cybersecurity and you can’t only defend it with rudimentary protections, which are more suited for much smaller companies.”
It wasn’t an easy conversation but finally, I managed to convince him that his compliance with ISO/IEC 27001, which is a leading information security management standard, was something his team had to do if we were to continue working with them meaningfully.
Unfortunately, easy conversations are not something inherent to information security risk management. It’s really a long road with many stumbling blocks along the way but is one crucial for modern companies.
Having worked with quite a few organisations to contain these types of threats, there are a few things I’ve learned. Let’s take a look at what these are.
COMPLIANCE IS JUST ONE ASPECT OF INFORMATION SECURITY RISK MANAGEMENT
Something I’m always in the habit of saying (and you can ask my teams and clients!) is that compliance is not security. It’s certainly a very useful first step, but it’s not the beginning and end of your information security risk management processes.
Here, I’d be remiss not to discuss ISO/IEC 27001, which is one of the first security standards we refer to when we talk about information security. This basically comprises a set of processes and activities - basically, an information security risk management system - that detect, analyse, and address information security risks. What’s important to note is that there is no universal list of measures to follow - organisations are free to choose from a list of protocols that will help them protect their information securely, in line with the specific nature of their business.
While this is not the only information security standard out there (another important one is the PCI-DSS), it’s usually the best place to start. But, as I mentioned, this is just one aspect of this entire process.
RECOVERY IS AS IMPORTANT AS RISK ASSESSMENT AND RISK TREATMENT
One thing I’ve noticed is that when it comes to just about any information security risk management plan, everyone is only interested in addressing risk assessment and treatment. While both of these are the basic building blocks of your strategy, you need to make sure that you’re focussing on recovery as well.
Recovery, here, refers to the processes you have in place to restore your capabilities and service delivery following a cybersecurity attack or a near-breach. These procedures need to help you restore normalcy within your organisation while investigating the breach that occurred and implementing changes to your policies and procedures to prevent attacks of a similar nature in the future.
As you can see, your information security risk strategy needs to incorporate all elements of risk management and remediation.
CONSTANT MONITORING AND ANALYSIS IS JUST IMPORTANT AS GETTING A POLICY DOWN
Something else I firmly believe in is monitoring and analysing how your risk management policies are working for you. Finding the perfect strategy is usually an ongoing process, involving plenty of fine-tuning. This needs to be the norm because security threats are constantly evolving and you need to stay on the ball to ensure your information security risk management policies are up to the task.
When working with a security service provider, make sure your strategy includes continuous, or at least frequent, monitoring and analysis.
NAIL YOUR INFORMATION SECURITY RISK MANAGEMENT STRATEGY WITH THE RIGHT SUPPORT
Your information security strategy is, arguably, one of the most important elements of your overall cybersecurity plans. If you lack the right security resources, you need to get the support you need to build your strategy.