To those who have not yet discovered it, security and risk management is a mind-set. When you go into a shop or restaurant, you may automatically check out the security and note where the exits are. If so, you will also check as to how secure the financial transactions are. How does the waitress handle the credit cards? How far the credit card machine is to staff and other customers. You will have noted the location of the security cameras, the lack of a security station or the location and the number of bouncers.As a security and risk specialist, you will always be thinking about and assessing the security scenarios but not to exploit or take advantage of it but to be aware. You cannot switch it off, its the way you are. It is the same for members of the emergency services, never really off duty.
Security Compliance
If you have to consider a risk management approach to security compliance, as part of your many regulatory obligations, the best way to approach compliance is through risk. It is ineffective to focus on the bare minimum, just ensuring you are simply compliant. Threats and vulnerabilities are forever mutating, growing and changing. The bare minimum is not enough. This is the first principle of IT security and of risk-based IT management.
When looking at new applications, components, systems or architectures, check out the risks to your business and the risk to your core information. Those are the important things to note. You are concerned if it meets a line item associated with HIPAA and SOX.
Pattern recognition
The 'always on' risk management mind-set is always looking for patterns, checking out ways of doing rather than items on a regulatory checklist. You will look closely for items that pose a threat to your core assets, those that you are responsible for and have dedicated your reputation to protecting.
When somebody comes to you with a potential security problem, even if you know nothing about the particular system or application, you can assess it by the application of the risk framework and therefore formulate a validate set of pertinent and probing questions.
Secure games
Most security and risk managers live and breathe in a security mind-set, whether they are hardcore techies or recruits from the business side. The methodology they follow day by day at work is the methodology they live by, outside of work. Even at conferences, when they unwind afterwards with a soft drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. It can appear very weird and a little black, if you are outside the circle.
Nailed by the business
The mind-set can have its limitations and can be self-perpetuating. There is an old adage that says 'If you are a hammer, the whole world looks like a nail.' Indeed, when taken by surprise, the average security and risk manager is typically out manouvered by something that happens on the business side.
Good grief! Have they learned nothing? You can’t believe that the business would make such a decision. Just because you have a structured, risk averse and secure mind-set, you forget that 'normal' people don’t always think that way.
Damage control
What happens next is up to you. If the security has been jeopordised or the risks are too high then it is your task to get it back into line and put the geni back in the bottle. The fact is clear, you are dealing with consequences. The business has taken a chosen path and you have to control the damage, mitigate against it or make it right. After all, isn't that your job as security and risk 'support' person? In reality, you are seen by the business (suits) as being in the same category as the IT help desk and that is all you are.Although it is accepted that the security and risk manager serves and protects the
organisation and its profits, until it can be unequivacally determined how you can directly make money and grow the profits for the organisation, you will always be considered as merely a supporting act. So, let's make up and get on with it! The show must go on!
Posts
No comments:
Post a Comment