How to prepare your organization for the risk of data loss

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/article/3005304/data-center/how-to-prepare-your-organization-for-the-risk-of-data-loss.html

Data breaches are serious and very real threats in today's digital world,
and no industry sectors are immune. In the medical sector alone, the cost
of client data breach liability, expense, and settlements surpassed the
same costs from medical malpractice. Securing data and minimizing the
probability and impact of data breaches is at its core a risk-based
endeavor.

While many businesses have recognized the need for risk assessment and
management, there is still a tendency to treat risk assessment and
managements as "checkbox" exercises. For a risk management program to
provide true benefit, several things are required:

An enterprise-level risk management practice. This is NOT your IT risk
management team – it is a standalone and empowered practice that operates
at the CXO level. This team is focused on business alignment.
An IT-level risk management practice. This team is focused on the
application and testing of applicable risk management frameworks and the
controls associated with those frameworks.
Certified and qualified risk management professionals. There are several
industry certifications available. CRISC (Certified in Risk & Information
Systems Control) and CRMP (Certified Risk Management Professional) are
examples. They both require hefty amounts of continuing education, which is
critical, given the moving target that cybersecurity has become.

Too often we see businesses with some partial combination of these
elements, but we rarely see them address the complete picture.

4 Ways to Approach Risk

Risk assessment doesn’t need to be an enigma. Once risks are identified,
they can only be dealt with one of four ways, with the selection for each
risk factor to be determined with a business-alignment mindset:

Accept the risk. This is appropriate for risk factors with low probability
and low impact.
Avoid the risk. Patient: "Doctor, my arm hurts when I do this!" Doctor:
"Well then, don’t do that!" In all seriousness, this means that the
organization shouldn’t engage in business activities not aligned with their
primary mission or outside their area of primary expertise. This is
appropriate for risk factors with high probability and high impact.
Transfer the risk. This is appropriate for risk factors with low
probability but high risk. Examples are insurance policies and outsourcing
of high-capital expense or high-expertise elements such as data center
services. (Disclosure: I work for Lifeline, a provider of data center
facilities and services.)
Mitigate the risk. This approach is appropriate when the high probability
but relatively low risk. Additionally, if you happen to be a service
provider that other organizations transfer risk to (like a data center
provider) you are the last stop for risk, and you must find ways to
mitigate it.

Obviously, the parsing of risk factors into their appropriate action
buckets is a complex process requiring knowledge of the threats themselves,
the technology involved, business alignment, vendor capabilities, actuarial
data, etc.

Clearly, the ones that avoid it or accept aren't setting themselves up for
success. Being proactive instead of reactive is key to ensuring you cover
as many vulnerabilities as possible.

On the other hand, many businesses realize they don't have the staff,
objectivity, time, or the money to allocate to risk management. These can
be barriers to success, along with the other ego factors, including
politics, turf wars, and ambition. Therefore, the most popular option out
of these four is transferring that risk onto someone else, which
effectively takes care of option number four: mitigating risk altogether.

The biggest benefit of this option is that hiring outside help can be the
most cost-effective option, given that the cost of attracting certified
risk management professionals and getting certifications for your business
could be upwards of $1 million. And it takes time and resources, which
translates into overhead costs. When in doubt, I always recommend
transferring the responsibility to mitigate risk more effectively.

Implementing Risk Management

Before you can develop a risk management practice that makes sense, you
need to assess where you currently stand. Instead of trying to assess the
situation yourself, it's important that you hire a third party to complete
a risk assessment of your business that spares no detail. Thoroughness is
an advantage; the more you know, the more you can mitigate risk.

The next decision you need to make is whether or not you want to eat the
cost and handle it internally, or if you want to transfer that risk to an
outsourced party.

Finally, regardless of whether you keep it in-house or transfer your risk,
you do need to dedicate resources to your risk management practice so you
can mitigate vulnerabilities as much as possible.

The consequences of not understanding and addressing your risks can be dire
- from not being able to attract quality talent to destroying your
reputation and credibility to going out of business.

Are you risk-ready?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!