Why Information Security Risk Assessments Matter – Five Foundational Elements 

By: Matt Williams, Staff Consultant IT Risk Advisory

Why Information Security Risk Assessments Matter – Five Foundational Elements 

Most data breaches do not make front page news, that is because they are occurring more frequently than ever.  According to the Identity Theft Resource Center’s 2017 Data Breach Year-End Review, there was a 44.7% increase in the number of data breaches from 2016, the previous highest year on record, resulting in 1579 known breaches in 2017.  Data breaches have become so frequent that, according to IBM Security and Ponemon Institute in their 2017 Cost of Data Breach study, there is a 28% global likelihood of being affected by a breach.  Not only are breaches occurring more frequently than ever before, they’re also more expensive.  The United States leads all countries in this category, averaging $7.91m per data breach according to the 2018 Cost of Data Breach study.

That’s all bad enough, but damage caused by breaches doesn’t stop at the financial cost.  Many companies that have been breached faced damage to their reputation that lingered for years and it is not uncommon for them to face significant litigation.  Some companies also find themselves with reduced competitive ability because of the theft of intellectual property and other proprietary information.  The inability to demonstrate security controls (I.e. provide a SOC 2 audit report) has become a barrier to entry for many service providers.

Although it is impossible to guarantee a secure technical ecosystem, one way to minimize your breach likelihood and increase your likelihood of passing a third-party audit if necessary is by regularly performing Information Security Risk Assessments.  A full Information Security Risk Assessment covers a variety of interconnected areas to give you the full picture of your organization’s security environment. Don’t be intimidated by the plethora of security framework’s that are available (e.g. ISO 27001, NIST Cybersecurity Framework (CSF), the reality is an information security program can be evaluated by assessing the 5 foundational elements:

  • Information Security Governance is the documentation and overarching guidance for security.  Proper governance will ensure cyber risk is assessed and formally managed, responsibilities are defined and communicated to employees, and the organization has ongoing reporting f that tracks security initiatives and proactively communicates status to executive stakeholders.
  • Security Architecture is the bridge between governance and execution.  It involves mappings between business and security, rationale for investments in security technology, design of supporting processes, and identification of resources necessary to carry out the program’s mission.
  • Tools and Technology are what carry out the policies, procedures, and strategies from governance and architecture.  An assessment will look at the purpose, use, and output of each tool to identify areas of overlapping functionality and gap areas.  Costs, level of effort required for maintenance and upkeep, and training requirements are factored in to determine best course of action for your organization going forward.
  • People and Processes must be in place for tools to be utilized.  Are processes providing the output they should be?  Who are the process users?  Are people properly trained for the tools and processes they use?  No matter what tools are in place, if the people and processes supporting them aren’t sufficient there are chinks in the organizations’ armor.
  • Technical Testing uses a combination of external and internal scans to identify vulnerabilities.  Vulnerabilities are assessed contextually, factoring in criticality, likelihood, and potential impacts to develop a total risk profile.

Why Get Assessed?

  • Show customers you care about their data: According to Cisco, one third of companies that experienced a data breach lost 20% or more of their customers.  Customers are showing their trust in your organization when they give you their data.  Don’t let them down, show security matters to your organization and provide them additional peace of mind.
  • Stay up to date: The cybersecurity landscape is constantly changing.  The bad actors trying to get ahold of your organizations’ data continue to improve, and so do you.  A full assessment ensures the highest possible level of protection against the latest threats.
  • Get the best bang for your buck: Identify and prioritize problems based upon likelihood of occurrence and potential impact so the cybersecurity budget can be used for the most important issues that will provide the highest ROI.  This is especially important for companies that have invested heavily in cybersecurity products and tools over the past few years.

Significant effort, expertise and technology market awareness are required to ensure your organization is secure, protected and that your security investment is optimized. The 5 key elements identified above are foundational to adhere to any security best practice framework.  Clearview’s team of IT Risk and Security experts have extensive experience across all industries and can customize a solution unique to meet your needs.

 

 

More in IT Risk Advisory & Security and Technology Advisory

Related Case Study