Twitter chat: Develop a risk profile for better breach prevention

In this #GRCchat recap, a former Federal Communications Commission CIO discusses how a quantitative risk profile can mitigate financial risk.

The digital age created a laundry list of issues for security teams. CSOs, CIOs and other leaders are not only tasked with creating security guidelines for emerging tech trends, they're also responsible for ensuring any existing systems remain protected.

A risk profile analysis is one way to certify small "cracks" -- like suspicious behavior and sensitive systems -- don't become gaping sinkholes in the form of large-scale data breaches. In May's #GRCchat about minimizing business ramifications of breaches, SearchCompliance asked participants, "How should organizations prioritize data breach prevention resources, especially when faced with limited budgets?"

Former Federal Communications Commission CIO Robert Naylor was first to chime in, and suggested organizations implement network monitoring tools to mitigate financial risk and stay ahead of the curve:

Seems like a no-brainer, right? Not necessarily.

Many organizations track their network activity, but don't always pursue or act on suspicious activity because of budget restrictions. To counter this lack of monetary resources, IT might benefit from a quantitative risk profile process that assigns numerical values to varying levels of threats.

In the enterprise, risk profiling allows management teams to understand gaps between their company's threats and its risk appetite, or the level of risk the business is prepared to accept. IT security departments must set their sights on protecting what is most important: intellectual property, customer privacy and financial risk, according to Naylor.

More on risk assessment

Next-generation risks and PCI security

What Heartbleed means for Web security

Like Naylor, SearchCIO contributor and CTO Niel Nickolaisen suggested profiling risk based on a well-thought-out risk assessment plan. "Before we selected and implemented technologies, processes and policies [at O.C. Tanner Co.], we defined and profiled our risks," explained Nickolaisen in a recent tip on SearchCIO. "We brainstormed all of the potential risks (a hack, a virus, an employee setting up a server outside the firewall and others), then assessed both the likelihood and impact of each potential risk. The combination of likelihood and impact determined the overall risk."

SearchCompliance Site Editor Ben Cole added his two-cents:

With a foolproof system for ranking threats, security teams can easily identify major vulnerabilities and prioritize their data breach prevention efforts. SearchCIO Executive Director Christina Torode, however, asked tweet jammers whether the process could be made even easier.

For more coverage of this month's #GRCchat, follow @ITCompliance on Twitter. Our next tweet jam is scheduled for June 19 at 12 p.m. EST (topic, TBA). We hope to "see" you there!

Dig deeper on Vulnerability assessment for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Emily McLaughlin asks:

A company like Target spends $100s of millions on security and still suffers a breach. What is the solution?

1  Response So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close