Tuesday, 30 September 2008

Creating an Effective Security and Risk Management Culture

Superheroes are not here to prevent things from happening—we can't afford to be drawn to a superhero model with respect to security and risk management. The alternative is to have a mandate from the top and to earn the trust of the organisation as a whole.

The head of security must be:

  • Never considered an obstacle
  • Consulted by business
  • Someone who listens
  • Knows how the company makes money

Even better:

  • Considered an added value
  • Advice is sought out
  • Board/CEO reads report
  • Integral to IT planning

Must understand constraints on activity:

  • Regulations: External/Internal [effectiveness of rules is a function of organizational culture]
  • Cultural Proclivity [effectiveness of rules is a function of organizational culture]
  • Market Forces [if it affects the bottom line, it will automatically become a priority]
  • Technical Possibilities [functions in spite of control subject]

How many security officers does it take to make an enterprise secure? Just one… …but the enterprise must want to be secure. Awareness, Willingness, Ability. This is the natural logical progression as we bring up security awareness.

Can we come up with a form with the service catalog and get numbers for the level of confidentiality, integrity and availability they need for each of those systems? Need to make sure that data owners assess their own data criticality. Data owners explicitly accept associated risks.

Key message is that business owners own the risk, not us. They might delegate to us the actions to reduce risk, but we don't own the risk for them. Work with business owners to determine risks, and make sure they understand the residual risk that remains after we have performed agreed actions.

No comments: