Why Risk Assessments Are Critical to Information Security

FRSecure is the leading IT security coaching and consulting firm behind the well-known FISASCORE. At the 2019 Siouxland Cybersecurity Forum, Xigent hosted John Harmon, FRSecure’s president. Harmon shared insights about why security risk assessments are critical, based on first-hand working knowledge of hundreds of organizations, including many financial institutions.

 

IT Security is a Growing Business Necessity

Organizations are focusing their attention and resources on security-related matters for three reasons, Mr. Harmon said: compliance, fear and stewardship.

• Compliance: Banks have been heavily regulated for years and have begun to require IT security validations for vendors and customers. However, several other industries face significant compliance burden as well, often imposed by their clients. Many markets are inaccessible to organizations that can’t offer SOC 2 verification, for example.

• Fear: Any organization with sensitive digital assets has reason to fear. Data breaches are becoming more and more common, and simple compliance won’t guarantee security. Organizations must work to proactively head off security issues to protect their business and their reputation. Customers, shareholders and C-suite executives have come to expect this level of vigilance.
• Stewardship: In this digital age, organizations serve as custodians of digital assets. Good stewardship of this data is simply the act of a good citizen. Management is coming to see data protection in this light and is now putting its weight behind IT security programs.

 

The Key Aspects of a Solid Security Risk Assessment

No matter the business model, continuing risk assessments are critical to information security.

Harmon suggested a measured approach when identifying and mitigating organizational vulnerabilities. He recommends organizations model the likelihood, impact and maturity of various types of risk factors. Risk factors should be segmented by:

• Coverage (the administrative, physical, technical nature of the asset).
• Known standards, such as ISO and NIST.
• The confidentiality, integrity and availability (CIA) of data.

Achieving the right amount of security coverage is critical; however, businesses often overlook important aspects of security coverage. For example, people can represent significant risk to corporate security. Mitigating that risk requires behavioral change, so proper coverage would include a good training program. “We can agree that ‘people risk’ can’t be fixed by technology. Behavior modification will come only through time and effort of other people,” Harmon said.

Security policies and procedures based on known standards do more than offer best practice. Adherence to standards such as those from NIST can protect organizations from violating proprietary intellectual property and incurring added civil and financial risk.

Three major issues merit proactive attention, according to Harmon, and they are beginning to dominate C-suite agendas.

1. Third-party security risks: With whom are you sharing information? Some vendors start with small roles that grow larger. What systems are in place to routinely inventory, classify, assess and remediate third-party data security risks? If there is no routine now, one should be put into place.
2. GDPR for the United States: Federal mandates are bubbling up to the surface. California has already legislated data protection with its California Consumer Privacy Act (CCPA). The basics are defined, and while it may require little effort to modify systems, it will require careful planning and implementation.
3. HR: There are simply not enough skilled IT security professionals in the market. Organizations can’t afford to handle IT security all on their own. They will need to find reliable alternatives.

The Business Imperative for Proactive Risk Assessments

The threats to business operation and reputation are rapidly escalating. Harmon recommends getting ahead of them with well-managed IT security systems and routines. “Doing it on your own terms – early – is a lot cheaper than waiting for someone to tell you to do it in a short period of time,” he stated.

John had some stories about how his firm found gaps in clients’ security, and what practical things could be done to protect others. The stories made it clear that the organizations who don’t take security seriously and instill a security-conscious culture may not survive much longer in the current environment.

Xigent makes staying on top of cybersecurity a top priority to better serve our clients. To find out how we could help you assess, bolster and manage your organization’s security, contact us today.