Jay Heiser, research vice president at Gartner said that most corporate IT expenditures are inevitably under intense scrutiny with the current economic uncertainty, and that IT security and risk management are no exception.
“The key to justifying and optimising security spending is to ensure that security and risk control practices are meeting explicit business objectives and, crucially, to persuade the business to take ownership of risk”, he said.
However, Heiser warned that information security professionals are unlikely to achieve these critical goals if they fall into one of four common risk management mistakes:
Taking a ‘one size fits all' approach to security and risk management
All business units or every single component within a business unit do not require the same level of protection, or the same level of security spending. Security spending must reflect the assessed level of risk and overspending and overprotection must be avoided. Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk.
Making plans based on what the security organisation wants, not what the business needs
Informaiton security professionals have historically made technology-centric investment, implementation and deployment decisions based on what they believe is required, rather than on what the business needs, Gartner said. Security plans and security budgest must be based on business objectives, and if business managers cannot or will not provide information about risk significance of their business processes, then high-level managers must step in and mediate, Gartner added.
Making risk-related communications too complex for the business to understand
Informaiton security professionals must also develop a consistent way to express and articulate the security-criticality of specific IT systems, information assets and business processes. Gartner recommended a simple three level scale – high, medium and low – to provide a common reference point for articulating the business criticality of IT that can potentially be used for a corresponding set of risk management service levels.
Allowing LOB managers to transfer their risk to the IT organisation and the IT security organisation
Line of business (LOB) managers often make the mistake of presuming that IT’s 'standard offering' will effectively address any form of IT risk. Such an approach makes the IT organisation the scapegoat for security failures and any consequent reduction in perceived service or flexibility, Gartner warned. Internal 'market forces' can help align risks with benefits if all systems and information assets are ‘owned’ by specific business managers who are accountable for any failures in security or continuity.
“The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services”, Heiser concluded.