Cyber threats and the need for enhanced security management is a recurring theme in today’s news headlines. In previous decades, security in most organizations was primarily a technical discussion relating to firewalls and anti-virus controls. However in the last ten years, security has evolved into much more of a risk management issue.
Although this change has been strongly influenced by security regulations promulgated to help protect consumer data (financial, health and other personal information), the need for effective security risk management now extends beyond the financial and healthcare industries. Accordingly, this issue warrants increased attention by business managers in all organizations, regardless of size.
Here is a list of warning signs than an organization’s security risk management program may be inadequate:
No one in your organization is explicitly responsible for security management. Without clearly defined responsibility, adequate attention to security is most certainly lacking.
Executive management delegates total responsibility for security to IT staff by default. This reflects outdated perception that security is solely a technical issue and results in a lack of adequate executive accountability and technical staff transparency for security management.
Business impact analysis has not been conducted. Effective risk management, as well as disaster recovery and business continuity, requires a clearly defined assessment and prioritization of data assets that are critical to your organization’s success.
Adequate security policies & procedures not in place. Policies and procedures provide the framework for directing employee behavior and determining appropriate security controls.
Risk analysis/assessment has not been performed to assess level of risk and adequacy of existing security controls. A risk analysis is essential to assess status of security threats and appropriate administrative, physical and technical safeguards.
Lack of formal vulnerability management program. Effective vulnerability management involves regular vulnerability scans with remediation, patch management and event log management.
Lack of ongoing security monitoring and management in place with polices/procedures for responding to security incidents. Today’s security threats come from many directions and can occur 24×7 from all corners of the world. Therefore, 24×7 monitoring by staff with security training is essential to ensure eyes are watching your network.
Effective security risk management should be a focus for all organizations, regardless of industry or perceived regulatory compliance issues. The extent of resources allocated to your security risk management program should be based on the level required to safeguard your business operations and data assets from today’s cyber threats.