The digital age created a laundry list of issues for security teams. CSOs, CIOs and other leaders are not only tasked with creating security guidelines for emerging tech trends, they're also responsible for ensuring any existing systems remain protected.
A risk profile analysis is one way to certify small "cracks" -- like suspicious behavior and sensitive systems -- don't become gaping sinkholes in the form of large-scale data breaches. In May's #GRCchat about minimizing business ramifications of breaches, SearchCompliance asked participants, "How should organizations prioritize data breach prevention resources, especially when faced with limited budgets?"
Former Federal Communications Commission CIO Robert Naylor was first to chime in, and suggested organizations implement network monitoring tools to mitigate financial risk and stay ahead of the curve:
Q2 My advice is to focus on what is actually happening on your network first! #GRCchat— Robert Naylor (@rbnaylor) May 15, 2014
Look at network traffic to determine suspicious behavior, Advanced Persistent Threats, Botnets, and bad known traffic in general.#GRCchat— Robert Naylor (@rbnaylor) May 15, 2014
Seems like a no-brainer, right? Not necessarily.
Many organizations track their network activity, but don't always pursue or act on suspicious activity because of budget restrictions. To counter this lack of monetary resources, IT might benefit from a quantitative risk profile process that assigns numerical values to varying levels of threats.
In the enterprise, risk profiling allows management teams to understand gaps between their company's threats and its risk appetite, or the level of risk the business is prepared to accept. IT security departments must set their sights on protecting what is most important: intellectual property, customer privacy and financial risk, according to Naylor.
Next, look at all your risk assessments from your audits and prioritize areas of attack based on likelihood. #GRCchat— Robert Naylor (@rbnaylor) May 15, 2014
The organization must protect the most sensitive systems and data first. Intellectual property and customer/constituent privacy. #GRCchat— Robert Naylor (@rbnaylor) May 15, 2014
Financial transactions are always on the top of the list as well to ensure the highest level of protection. #GRCchat— Robert Naylor (@rbnaylor) May 15, 2014
More on risk assessment
Next-generation risks and PCI security
What Heartbleed means for Web security
Like Naylor, SearchCIO contributor and CTO Niel Nickolaisen suggested profiling risk based on a well-thought-out risk assessment plan. "Before we selected and implemented technologies, processes and policies [at O.C. Tanner Co.], we defined and profiled our risks," explained Nickolaisen in a recent tip on SearchCIO. "We brainstormed all of the potential risks (a hack, a virus, an employee setting up a server outside the firewall and others), then assessed both the likelihood and impact of each potential risk. The combination of likelihood and impact determined the overall risk."
SearchCompliance Site Editor Ben Cole added his two-cents:
A2 Develop a risk profile to determine your most important digital assets – and their potential vulnerabilities #GRCChat— Ben Cole (@BenjaminCole11) May 15, 2014
A2 (cont) 100% security is impossible, so target data security on what is most important from a GRC standpoint #GRCChat— Ben Cole (@BenjaminCole11) May 15, 2014
With a foolproof system for ranking threats, security teams can easily identify major vulnerabilities and prioritize their data breach prevention efforts. SearchCIO Executive Director Christina Torode, however, asked tweet jammers whether the process could be made even easier.