Conquering The Risks
Essential elements help create risk management strategy
- By John B. Harris
- Nov 11, 2009
Corporate security has evolved over the years to recognize that physical security and information security are linked, and both need to be considered if a corporation is to succeed.
However, while physical security management has evolved to embrace proactive risk management, information risk management remains oddly reactive. Only a comprehensive, proactive and appropriate information risk management plan will help keep the company secure and in turn provide other benefits.
The Information Spectrum
The first step in this process is to understand what information actually means. It’s found across the enterprise in every department and in different categories: regulated, confidential, intellectual property, branded and classified. It’s found in documents -- not just sheaves of paper, but also the electronic documents we deal with on a daily basis: PDFs, 3-D drawings, e-mails and spreadsheets.
It’s the data that’s transported back and forth between headquarters and district offices, partners and customers, and stored in laptops, databases, servers, and even mobile devices and USB removable memory. Moreover, organizations are collaborating across a broader range of media than ever before: phone, VOIP, Web conferencing, e-mail, IM and even social media networks.
And one can’t forget the human capital in each corporation, containing the organization’s brightest ideas and most critical information.
Historically, enterprises have focused on technical risks such as viruses, spyware and application vulnerabilities. These continue to evolve rapidly and present a serious threat. Unfortunately, the risks don’t stop there. There are risks of malicious intent: employee turnover, information e-mailed out of the enterprise, social engineering attacks and stolen laptops, for example.
Corporations also need to consider compliance risks involving privacy, judicial mandates, export considerations and regulations such as Sarbanes-Oxley. System availability and downtime also can run a company into the ground, especially if those systems must remain up 24/7 to process mission-critical transactions.
All of these risks factor into a corporation’s reputation, with dire results for revenue, competitive disadvantages, regulatory penalties, and brand and market confidence.
Finally, there is the human element -- the No. 1 risk to any enterprise. Management often lacks the motivation to understand the actual risks involved and the need to plan ahead of the curve.
Technology is not the solution; it’s simply a tool to serve policy and planning needs. Vendors too often claim that they have what it takes to solve all of your problems. The truth is that no one technology can do so. In order to best understand which solutions will manage both your risks and information, you need to codify your plans in a clear, concise security policy. This high-level document should involve and address all stakeholders.
Once readied, it should be well-communicated to all employees. Drafting and sticking to this policy should be step one in your risk mitigation strategy.
The mantra of “policy first” has been repeated numerous times, but organizations worldwide still fail to follow through. Deloitte’s latest Global Security and Privacy Survey found that on average only half of the companies surveyed had formal security policies or strategies. Another 20 percent reported they had one in draft form, while the rest noted that they didn’t have any or would have one in 12 to 24 months.
What does this mean? Half of these organizations are reactively managing their information risk in a vacuum, without clear goals. Only when a security policy is complete should the focus turn to technology solutions.
In With the New
Even though you still need to protect against traditional, serious threats like malware, application vulnerabilities and poor user access controls, today’s security management strategy must deal with the reality that information travels every which way in corporations, and the old way of doing things can’t cope with an evolving information-centric economy. An effective, information-centric risk management strategy has three parts: discovering and classifying sensitive information, controlling access rights and maintaining confidentiality over that information, and assuring information integrity and authenticity.
In order to understand which information is critical to protect and which isn’t, an information classification strategy can help to cut through the chaos and let everyone know how to deal with information they produce minute-by-minute. The layers of classification should be easily understood by general employees and IT alike.
Once an organization has determined the information that needs to be protected, it’s time to move on to controlling access to that information. Data loss prevention technologies have become quite popular over the past few years and can take the form of disk encryption software, e-mail and file transfer scanning, and file-by-file encryption. Taken together, they can create an effective barrier against most sensitive information leaving the corporation by accident.
In fact, Deloitte’s survey indicates accidents are one of the top reasons for internal breaches.
Data loss prevention is key in today’s information-centric security model. But the technology may best be deployed in coordination with an enterprise rights management solution. While DLP solutions can scan content for sensitive information and protect it against particular threats, they can halt the fluid exchange of information needed by today’s enterprises.
Rights management solutions create security policies that travel along with a document and remain in place even if the file is copied or transferred. They can block access, printing and copying based on a variety of parameters. The best products are dynamic so the documents effectively phone home at various intervals and can be revoked or have the security parameters changed.
Document versioning and expiration also can be tightly controlled. Native integration and ubiquitous access to viewing software that can parse the security features also are critical elements.
Once in place, a rights management solution can allow a global manufacturing company to securely exchange product planning and design documents with its contract parts manufacturers abroad by limiting access to only the sections of the documents required by each contractor. A financial services company could share customer financial data securely around the institution knowing that if the file found a way out of the enterprise, no one could access its contents.
A consumer electronics company could send price lists out to its channel partners and provide new price lists regularly by locking the old price list and providing links to a new one.
An information risk management solution isn’t complete without thinking about assurance, integrity and authenticity. Controlling access to sensitive information is absolutely critical, but if that information can’t be shown to be authentic, the corporation will likely be impacted by regulatory penalties, along with revenue and reputation loss. Technologies like electronic signatures can play a critical role in an organization’s information governance strategy.
The non-repudiation of electronic contracts can be ensured with legally valid electronic signatures. Data processes can be backed by digitally signed audit logs. Regulatory filings, invoices and other critical, official documents can be digitally signed and certified to prove their authorship as well as confirming the author’s intent and content.
In fact, signatures and approvals are critical elements in most information exchange processes today. A well-implemented solution will not only eliminate the cost of printing and delivering paper documents, but actually provide for a more collaborative and manageable process, where customer and business relationships can be enhanced.
Bringing it Together
Here are some tips to help you in creating your corporate information risk management strategy.
Prioritize. You simply cannot address every single risk nor protect every bit of information. Focus on information types and threats so the remaining risk is acceptable and meets your business requirements.
Think holistically. Don’t attempt to cloud your security policy and strategy with minutia about each risk, nor let the shifting threat environment be your only guide. A good, flexible strategy will keep your organization protected against existing and emerging threats.
Build friends and allies. Selling your information risk management plan will be easier if you develop relationships with colleagues in management who share your vision.
Information governance and stewardship. Being in charge of an information risk management strategy means you need to be a careful steward of your organization’s information assets. Take that responsibility seriously and think in the medium to long-term to best address both security and enterprise needs.
Don’t rely on regulatory compliance to do it for you. While it is critical to comply with the regulations that impact your organization, don’t equate good information risk management with compliance. A company that is observing the tenets described above and applying persistent, content-centric security and assurance tools will most likely meet or exceed the requirements of regulations.
The Benefits of Doing it Right
Beyond the basic peace of mind that comes with an effective information risk management strategy, corporations implement these strategies to eliminate the potential for costly breaches that impact not only the bottom line, but also reputation.
The Ponemon Institute publishes an annual study on the cost of data breaches. It estimated that the average cost of a single breach in 2008 was around $6.6 million, or $202 per record lost. In a time when every company is struggling to achieve revenue, losses like this are untenable and make an irreversible impact on reputation.
A well-realized information risk management strategy has other benefits: enhanced business agility, competitiveness, efficiency and cost savings. Corporations can dramatically lower costs over time by directing funding toward a focused, best practice approach. Easier, faster, more secure collaboration with partners and customers leads to better revenue potential. Technologies like electronic signatures can dramatically alter an organization. Contracts that once took weeks to sign can be signed in minutes, saving companies tens to hundreds of dollars per contract in delivery costs, productivity and staff.
There’s a lot to consider here. Understanding the scope of information that can be at risk is mind-boggling. The internal and external risks to today’s corporation are disturbingly complex and always in motion. Thousands of tools are fighting for your attention and dollars. And you, the security professional, need to synthesize all of these inputs and create an overarching strategy to protect an employer. Thinking proactively will save the corporation time, money and resources. Finally, the reallocation of investments along the lines of this strategy also will position an organization to succeed when the economy turns around.