CISOs today face a new challenge in the way they must protect information assets for their particular organization. The primary reason for this is because information is now stored digitally, which creates vulnerabilities that can lead to devastating consequences. In addition to a possible security breach, CISOs must also remain in compliance with government regulations in regards to security. The challenge they face is called risk tolerance. Risk tolerance is assessed by exploring all possible security threats, deciding which ones are serious and implementing rules and protocols on how to deal with them. Every organization is different, therefore, risk assessments may vary greatly depending on the nature of the organization. When determining a process, keep these three crucial factors in mind: how an organization decides on risk tolerance, security risk assumption decision-making, and who has the authority to assume security risks.
How to delegate risk tolerance within your organization
You can start by creating a formal risk tolerance model which goes far beyond the standard government compliance checklist by documenting procedures regarding risk tolerance and assumption. In addition to a formal risk tolerance model there should also be a less formal strategy in place that only top ranking officials within an organization have the clearance assess and fix. A less formal a strategy may not follow a model or even have controls in place on how to deal with risks, and this can create problems. A good model includes a mix of both formal and informal strategies. One problem with an informal strategy is that the lines of communication can easily be lost and problems may be looked over, but that is what a CISO is for. Whether your organization yields a high risk assessment or a low one, it is important to formally address the protocols assigned to risk tolerance and make a document that is readily available to every employee. Most employees want a blueprint to follow, that way they can shift the burden of “making a wrong call” from themselves to faulty organizationioal policies. Obviously the less formal strategies will not be included in the formal document, for security reasons, and are a lot more complicated, as they revolve around a need to know basis.Typically these “less formal” strategies are implemented and executed by the CISOs, upper level management and the CEO of a particular organization.
In a mature organization that carries a high to moderate risk the standard protocol used is enterprise risk management (ERM): a process that addresses each threat individually. An ERM can be defined as a strategic business control that supports the achievement of an organization’s objectives by addressing the full scope of potential risks and managing the combined impact of those risks in a risk portfolio.
Establish security motives
It is important to be aware of what motives influence the type and level of security you choose to implement. If you can conceptualize those motives it will enable you to evaluate them on a critical thinking level. Questions that may be asked are: does this policy add value to this organization, align with our strategic goals and truly protect our clients. All three points may be crucial to the success of your organization. To establish what drives your security protocols here are three factors to take into consideration.
- Regulatory compliance concerns: Many organizations are predominantly driven compliance
- Privacy and security risks: This is associated with the information technology practices
- Industry and/or competitive pressure: Many are simply concerned with risk assessment because it is the new standard in practice and their competitors have already implemented a plan
It stands to reason that the best motives to consider when developing your risk assessment strategy is to use a combination of the three factors I just mentioned. Of course you must stay in compliance with government regulations, your security risks should be taken very seriously and you should stay on top of current industry trends.
All organizations are different and their security levels can vary greatly, some may not need a formal strategy. However, is is crucial to understand the motivating factors that influence the extent to which you choose to implement a risk assessment strategy. It is wise for all organizations to establish a formal risk assumption model. That way if some unforeseen risk pops up in the future there will be documentation readily available that establishes basic procedures in how to deal with security risks. This document must be created by the real insiders such as the CEO and/or the board of directors because it must be a truly unique and intimate process.
How is risk assumed, and by who
There are two critical factors to take into account when developing a risk tolerance model: formally documenting enterprise risk tolerance and delegation. Delegation of who can make security risk decisions is critical and because of its’ serious nature should be created by the Board of Directors and/or the CEO. Although this area is one of the primary functions of a CISO, some risks must be handled at a higher level, which must be established beforehand. Threats may be delegated according to the seriousness of a particular risk.
Business unit executives should only have authority to make risk decisions that are contained within the boundary of their business unit.Once security issues have been delegated to a specific business unit it will be easier to determine whether that threat is contained within the unit or has the potential to impact many units or other businesses.
Disclosure, Disclosure…Document everything that happens along the way when a risk has been exposed. Document its’ nature and how it has been dealt with. Was it effective? This way you can start by recording you own data and analyzing the results with the intention of discovering new ways to tackle those risks.
A formal security risk assumption process should be documented and approved by the CEO and/or the Board of Director, it is a critical first step to successfully resolving contested risk tolerance issues. Just plug in my three key points and you will be on your way to establishing procedures that will help you to reduce your risk tolerance.