FRSecure is the leading IT security coaching and consulting firm behind the well-known FISASCORE. At the 2019 Siouxland Cybersecurity Forum, Xigent hosted John Harmon, FRSecure’s president. Harmon shared insights about why security risk assessments are critical, based on first-hand working knowledge of hundreds of organizations, including many financial institutions.
Organizations are focusing their attention and resources on security-related matters for three reasons, Mr. Harmon said: compliance, fear and stewardship.
No matter the business model, continuing risk assessments are critical to information security.
Harmon suggested a measured approach when identifying and mitigating organizational vulnerabilities. He recommends organizations model the likelihood, impact and maturity of various types of risk factors. Risk factors should be segmented by:
Achieving the right amount of security coverage is critical; however, businesses often overlook important aspects of security coverage. For example, people can represent significant risk to corporate security. Mitigating that risk requires behavioral change, so proper coverage would include a good training program. “We can agree that ‘people risk’ can’t be fixed by technology. Behavior modification will come only through time and effort of other people,” Harmon said.
Security policies and procedures based on known standards do more than offer best practice. Adherence to standards such as those from NIST can protect organizations from violating proprietary intellectual property and incurring added civil and financial risk.
Three major issues merit proactive attention, according to Harmon, and they are beginning to dominate C-suite agendas.
The threats to business operation and reputation are rapidly escalating. Harmon recommends getting ahead of them with well-managed IT security systems and routines. “Doing it on your own terms – early – is a lot cheaper than waiting for someone to tell you to do it in a short period of time,” he stated.
John had some stories about how his firm found gaps in clients’ security, and what practical things could be done to protect others. The stories made it clear that the organizations who don’t take security seriously and instill a security-conscious culture may not survive much longer in the current environment.