Basic Information Security Functions

When I started my career in information security over 20 years ago, ‘Security’ was generally a role reporting into IT. The mandate at a high level was to prevent viruses and worm, develop processes based on controls from BS 7799, NIST SP 800-53, ITIL etc.  Technology, HR, facilities and other support functions within the enterprise as well as facilitate internal and external audits and respond to client queries on the security posture.

Fast forward to the present day the Information Security function including Cyber Security has evolved into a complex and dynamic organization within the enterprise, with specialized activities spanning both Operations (First line), Risk & Oversight (Second line). With annual budget averaging between 7-12% of the IT budget. Reporting into usually the CIO, Information Security has become more autonomous and complex in the multifaceted role it plays in managing risks and maintaining the security posture of the enterprise.

Information Security and Cyber Security functions are pretty mature in the financial sector as they are highly regulated and incidents would have a direct impact on bottom lines.  The recent ransomware incidents recently is a one example why many other sectors such as the manufacturing, auto, hospitality, retail, healthcare etc. have now begun to recognize the need to develop a security function within their organizations.

I have a presentation below that shows the most important functions/teams that a modern security organization should have to be effective.

I'd like to hear your thoughts please leave your comments and feedback.

All risks are not Key Risks

As risk professionals we often talk about Key risks and Key controls; while the expressions are quite commonplace, I’ve been in situations where the concept of a Key risk is not used appropriately. This is my attempt to shed some light.  

I’d like to spend a moment on the word ‘Key’ in this context. The ‘Key’ in Key risk is short for ‘Keystone’. Wikipedia: “A keystone (also known as capstone) is the wedge-shaped stone at the apex of a masonry arch or typically round-shaped one at the apex of a vault or arch. It is the final piece placed during construction and locks all the stones into position, allowing the arch or vault to bear weight.” Without the keystone, the arch could not stand.

Keystone

On similar lines, a Key business process is an activity without which the business could not operate or in some cases even exist. For example, if you are an e-commerce business; your site’s uptime is critical; anything that could negatively impact the site’s uptime would be a Key Risk.

 

I’ve found it helpful to bring this this concept up in discussions with leadership teams, it helps focus on what is really important and prioritize control activities to mitigate key risks. As risk practitioners we know that risk cannot be eliminated and we need to ensure opportunities for value creation are not missed by trying to eliminate all risk.

The first step in identifying IT Key risks (IT risk includes both Information and Technology Risk) is taking into consideration and listing the key risks identified by the business and tying them to the enterprise services the technology organization provides. And further documenting the risks related to those services in terms of Confidentiality, Integrity and Availability.

Continuing with the earlier example of an eCommerce business, a couple of IT risks could be articulated as:

• Risk: Downtime or Unavailability: Risk that the website is not available to customers 
• Risk: Information Loss: Risk that customer /payment information is lost or stolen

 

Key Risk Identification

 And the risk assessment would look like this.

Risk Assessment

I hope this brings helps bring clarity when you are identifying key risks and controls.

I’d appreciate your thoughts and feedback.