Today’s security leaders encounter many challenges. They have to operate with reduced budgets and face challenging and evolving risks daily.
Security leaders are often ignored and only called upon when needed or in disaster situations. Many don’t have an ongoing relationship with the C-suite because the C-suite doesn’t understand the value they bring to the whole business.
To resolve these challenges, a security leader can apply a risk-based approach to their security program. According to dictionary.com, the risk is “exposure to the chance of injury or loss; a hazard or dangerous chance.” Risk is broader than a security concern and involves the entire business.
Through utilizing a 3R model – considering resources, risks, and resolutions - a security leader can evaluate the output from the model to build the foundation of a strong plan. This allows the leader to make security decisions based on a quantified risk measure. A business determines what resources it wants to protect, what risks it needs to protect the resources from, and what resolutions it can put in place to mitigate the risk. Decisions are based on measurable evidence.
THE 3 RS
The first step in the 3R model is to figure out what resources need protection. This could be physical - such as buildings, critical infrastructure, or valuable equipment, knowledge-based - such as intellectual property, or organizational - such as people or governance structure. Understanding the business will help the security leader develop a list of critical elements. Look for tangible resources such as buildings and machinery, and intangible resources like reputation, knowledge, and processes.
Second, determine what the resources need to be protected from. Anything that threatens harm to the organization, its mission, its employees, customers, partners, its operations, or its reputation could be at risk. These can include contextual risks (workplace safety or natural disasters), criminal risks (theft or cybercrime), or business risks (compliance or legal issues). Free online risk assessment tools are available to provide a fast, easy way to determine an organization's basic security risks through an investigative approach. The tools ask several questions and determine risk based on an organization’s location and the answers provided. Security leaders can also work with security companies and consultants that offer risk assessments to determine their company’s needs, and then offer solutions based on that assessment.
The third objective is to determine how businesses can best protect the identified resource. The last of the 3 Rs - resolutions - are those security activities that enable the business to mitigate the impact of security risks. Resolutions can potentially prevent a security incident from occurring, contain the impact on resources if an event does occur, and also assist the organization in recovering from an impact more quickly or easily.
THE PATH FORWARD
Understanding what risks businesses face in totality provides an opportunity for the security leader to collaborate with other department heads. This gives security leaders an opportunity to engage with functions outside their norm as well as a chance to demonstrate their subject matter expertise. A risk-based approach also helps security leaders fully understand an organization’s needs and concerns, which they can communicate to the C-suite to help them make better business decisions.
C-suite and executives help define an acceptable level of security risk tolerance to resources and make quality, educated decisions about mitigating security risks. Through collaborating with security leaders using a risk-based approach and the 3R model, metrics and reports show the impact of security expenses, and there is a transparent view of security risk.
The final decision about how to mitigate and resolve risks is up to the business owner of the resource and the risk stakeholders. To obtain funding, show the risk and value of resources exposed to potential impact. Then present the recommended resolution that reduces the potential level of impact and the associated cost benefit savings. By providing this information, security leaders can ensure that the business owners can make an educated decision.
MEASURING SUCCESS
A risk-based approach aligns the security mission with the organization’s mission. Security leaders should have these conversations with their business leaders regularly. Understanding the thresholds of risk tolerance and showing when incidents or activities are trending outside of acceptable boundaries will help business leaders make educated decisions. Determining a baseline of acceptance gives a foundation for security leaders to point out when the organization is not meeting its requirements. Metrics can also help business leaders understand the cost/benefit of resolutions and demonstrate when costs may be trending outside of acceptable boundaries.
The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program. It is important to note that this process is not stagnant, and needs to be constantly revisited.
Continuous conversations using the 3R model also help business leaders understand what security risks could interfere with meeting business objectives. It also aligns the total cost of ownership for the security program with the business value of the resources at risk. And it defines the security role as risk management, not just task management. The approach puts the security risk decisions in the hands of the ones impacted by those risks…the “owners” of the resources.
Examining risks, resources, and resolutions systematically will help security leaders understand what they are protecting, what they are protecting it from, and how they can help prevent, contain or recover against a specific risk. Followers of this approach are in a better position to ask for funding because they can clearly define and quantify risks and vulnerabilities. Applying these principles will equip security leaders with the knowledge needed to have better dialogue with colleagues in other departments, encouraging more proactive discussions about security.