The traditional compliance-based approach towards security – just checking boxes in a security framework – is being replaced by a business-wide risk analysis approach. “The new breed of CSO is taking a systemic approach to security that goes way beyond compliance, and takes the whole risk posture into view,” explained Candy Alexander, CSO at Long Term Care Partners. This is the conclusion of a new report from Wisegate, a community of senior IT professionals from all corners of industry, that recently held a roundtable discussion among CSO members.
Compliance still exists and remains important, but becomes just one factor in the risk profile rather than the entire role of the CSO. “The regulations are still there,” notes the research, “but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements to mark off a checklist.” It’s an evolution of attitude that marks, says Wisegate, “an ‘ah-ha!’ moment for the entire organization.”
That ‘ah-ha!’ sometimes follows pain. “Business people need to feel the pain,” commented an information security manager from a large non-profit during the Chatham House Rule discussions. “If you’re unfortunate enough to have something like a big data breach that makes the headlines, then that just might be the ah-ha! moment that moves the company towards a risk-based approach.”
The problem is that compliance alone isn’t protecting the company. The result is that the compliance checklist is being replaced by a researched risk profile that includes the organization’s risk tolerance level. This profile differs between companies and is fluid within companies, so requires constant interaction with all other business departments – and their users. "Ask end users, ‘What is it about your department and your activities that you’re worried about?’” commented one senior security manager. “There’s always one little thing out there that makes the department think, ‘Oh, my God, if this fails, we’re screwed.’”
But risk tolerance remains difficult to define; “which is why it's important the security team works alongside line of business partners to work through assessments and keep the conversation going on a regular basis,” explained Randall Gamby, information security officer at the Medicaid Information Service Center of New York. “Definitions, thresholds, and tolerance levels eventually get clarified, and executive leadership will know when something carries too much risk.”
The overall picture is that security is becoming less of an enclave and more of a business-wide solution: researching, defining and implementing risk management that combines both a compliance and overall risk tolerance view to defending the organization.