Managing Risk and Information Security: Protect to Enable

by Malcolm Harkins

To thrive in complex, highly-connected global markets, organizations need bold business strategies that use technology to achieve competitive advantage.

There are two primary choices in life: to accept conditions as they exist, or accept the responsibility for changing them. —Denis Waitley

The reality is that because IT is now integrated into everything that an organization does, security groups cannot simply focus on locking down information assets to minimize risk. Restricting the use of information can constrain or even disable the organization, hindering its ability to act and slowing its response to changing market conditions. A narrow focus on minimizing risk therefore introduces a larger danger: it can threaten a business’s ability to compete in an increasingly fast-moving environment.

The core competencies of information security groups—such as risk analysis, business continuity, incident response, and security controls—remain equally relevant as the scope of information-related risk expands to new areas like privacy and financial regulations. But rather than saying “no” to new initiatives, we need to figure out how to say “yes” and think creatively about how to manage the risk.

The balancing point between providing open access and locking down assets depends on the organization’s appetite for risk.

To analyze the context that has led to our security mission and top priorities, I’ll explore some of the key changes in the landscape that affect how we view and manage risk: the rapidly expanding regulatory environment, the emergence of new devices and technologies, and the changing threat landscape.

The change in the last decade has been extraordinary. We have seen a flood of new regulations implemented at local, national, and international levels.

They affect the storage and protection of information across the entire business, from the use of personal information for HR and marketing purposes, to financial data, to the discovery of almost any type of document or electronic communication in response to lawsuits.

And with growing concerns about cyberwarfare, cyberterrorism, and hacktivism, several countries are evaluating additional cybersecurity legislation in an attempt to protect critical infrastructure and make industr...

Noncompliance can damage a company’s brand image, profitability, and stock price—not just through resulting legal problems, but through bad publicity.

California data security breach notification law (State Bill 1386), which became effective in 2003. A key aspect of this law requires companies that store personal information to notify the owner of the information in the event of a known or suspected security breach.

Businesses could reduce their exposure, as well as the risk to individuals, by encrypting personal data.

Health Insurance Portability and Accountability Act (HIPAA), have addressed specific categories of personal information.

updated data-protection privacy laws implemented in Europe (European Commission 2011, 2012).

As companies do more business online, they’re increasingly likely to acquire and store information about customers from other countries—and find they also need to comply with regulations around the world.

Privacy concerns are set to become even more important over time, as businesses increasingly seek to create online experiences tailored to the needs of individual users. The more a business knows about each individual, the more it can personalize services and offer targeted advertising based on income and preferences.

companies may be at a disadvantage if they don’t personalize services,

The personalization trend is fueling the growth of an industry focused on collecting, analyzing, and reselling information about individuals.

Companies now have opportunities to collect information from multiple online sources, correlate and analyze this information, and then sell it to others.

For businesses, however, offering personalized services also can increase compliance concerns.

Developing compliance strategies and guidelines becomes even more pressing.

Financial regulation surfaced as a top priority in the United States with the Sarbanes-Oxley Act (SOX), which emerged from the public outrage over corporate and financial accounting scandals at companies such as Enron and WorldCom.

SOX imposed financial tracking requirements designed to ensure that a company’s financial reporting is accurate and that there hasn’t been fraud or manipulation.

SOX required publicly held companies to meet specific financial reporting requirements

Sarbanes-Oxley Act doesn’t mandate specific technology controls, it has maj...

Ensuring financial integrity requires controls to be implemented within every...

the underlying applications have to support this workflow,

Compliance with financial regulations therefore creates a series of IT requirements, from making sure that applications provide the right functionality to implementing access controls and updating software. This

compliance comes at a steep cost:

Regulations governing the discovery of information for litigation purposes officially extended their reach into the electronic realm in 2006.

US Supreme Court’s amendments to the Federal Rules of Civil Procedure explicitly created the requirement for e-discovery—the requirement to archive and retrieve electronic records such as e-mail and instant messages.

created an immediate need not just to archive information, but to au...

records must be produced in a timely way—and manual retrieval would take too long and b...

The business risks of noncompliance are considerable: unlike many countries, US practice allows for potentially massive information disclosure obligations in litigation. Companies that fail to meet e-discovery requirements may experience repercussions that i...

Lawsuits may draw on information that is several years old, so businesses must have the capability to quickly search and access archive...

E-discovery is further complicated by the growth of cloud computing models such as software as a service (SaaS). As organizations outsource more business processes and data to cloud service suppliers, they need to ensur...

created a legal requirement that any access point must be secured (Government of India Department of Telecommunications

unscrupulous individuals may tap into the network to access web sites for purposes such as illegally downloading music or pornography.

The use of personal technology can considerably enhance business productivity because employees can now communicate from anywhere at any time. However, this also creates a more complex, fragmented environment with more potential points of attack. Information is now exposed on millions of new devices and disparate external networks, many of which do not have the same type of security controls as corporate PCs—and all of which are outside corporate network firewalls.

The boundaries between work and personal lives are dissolving in other ways,

properly maintain access lists.

Above all, we need to accomplish a shift in thinking, adjusting our primary focus to enabling the business, and then thinking creatively about how we can do so while managing the risk. Information is the central nervous system of the company. Our role is to provide the protection that enables information to flow freely.

The moment we want to believe something, we suddenly see all the arguments for it, and become blind to the arguments against it. —George Bernard Shaw

We encounter misperceptions every day within the realm of enterprise risk and security. Furthermore, unless we mitigate these misperceptions, they can have disastrous consequences. As a result, I believe the misperception of risk is the most significant vulnerability facing enterprises today.

the mis representatikn of financial helth was painted by the misleadin practices of NMA. th copy and paste approach for thatas 12 years ensured a dependence on JWH. leveragin simplse accounting lractices, such as establishing a budget based on historical information an tracking progress.

Within an organization, each individual’s perception of risk varies depending on his or her job role, goals, background, and peer group.

Misperceiving risk has serious consequences

Everyone is capable of misperceiving risk,

misperceptions can weaken the entire organization’s security posture. If an organization underestimates a risk, it will under spend on controls to mitigate that risk, increasing the likelihood and potential impact of major problems such as data breaches.

The Psychology of Risk, a book by Professor Dame Glynis Breakwell, Vice Chancellor of the University of Bath (Cambridge University Press, 2007).

A useful moral hazard analogy is renting a car with full insurance coverage. People are likely to be less careful with the rental car than they would be with their own car if they’re not responsible for the consequences.