By Rajat Mohanty, CEO, Paladion Networks
SME owners along with CEOs of large enterprises today are losing sleep over information security concerns, despite investing heavily on technology to ensure better business performance. However, these technology investments are being made in the interest of innovating and accelerating the impact of technology for their customers rather than to protect the data itself. The compliance and security teams often approach their CFOs to set aside budgets required to strengthen the companies’ security and compliance programs. However, owing to the CFO’s risk-averse nature, they mostly focus on the business and the bottom line.In view of this, the next step towards information risk management would be for the CFOs to bring innovative ideas to the table to help their companies remain competitive.
Corresponding to that, CFOs are required to bring the facts into focus for the CEOs to take interest in risk management decisions. However, it is to be noted that these steps are not quick or easy. The CFOs and CEO need to identify all the assets that contain or transmit the information they are trying to protect.It could be anything from a Personal Identification Information (PII), Protected Health Information (PHI), Payment Card Information (PCI), or any other proprietary or sensitive information important to the business. These information assets not only include application but the ‘media’ that contains those applications, such as servers, back-up tapes, desk tops, laptops, and thumb drives.
Following that would be the identification of threats to those assets which encompass facets including environmental factors like Floods, Lighting and fire; Structural like infrastructure or software failure; Accidental like uninformed or careless users and Adversarial like hackers, malicious insiders. Furthermore,identification of the vulnerabilities of those assets is the next significant step. For example, no data backup, no encryption, weak passwords, no remote wipe, no surge protection, no training, no access management, no firewalls, no business continuity plans and so on.
Taking informed decisions on risk treatment involves isolating all combinations of assets, threats to those assets and the vulnerabilities that might be exploited. Absence of these three aspects indicates that there is no risk to the information of the company. However, this is just the nascent stage or initial steps towards information risk management. Determining the likelihood of each threat exploiting the vulnerabilities follows the suite.The subsequent steps could be relatively harder as it lacks specific data to support a calculable likelihood. Tackling the issue, some companies use simple high, low and medium ranking, but there are various other metrics that need to be factored in to access likelihood like, industry breach statistics, data-type breach statistics, data loss statistics by cause, industry complaint statistics, the breach and/or complaint history of one’s own organization, and the details of any security or privacy incidents.
Apart from determining the likelihood of the threats exploiting the vulnerabilities, enterprises need to generate a risk-list, with high impact risk at the top and low impact risk at the bottom and everything else in between. Once the list is in place, the CISOs, CFOs, CEOs and all other C-suites need to congregate and belt out solutions and determine the cost of all risks.
In a nut shell, continuous evaluations and re-evaluations of risks that a company faces, is a good practice. Although time, energy and commitment are some of the most important pre-requisites for such practices, one has to agree that ongoing vigilance has its own rewards. Apart from mitigating huge business costs, it also saves the companies immense reputational damage that could stem out of data breach.