Making Difficult Security Prioritisation Decisions
By Brian Boyd (CISM), Director at i-confidential
At i-confidential, we have been speaking to our clients to see how they are coping with the coronavirus crisis. The initial shockwave has been ridden. They have moved into their new resilience positions and understand the additional steps needed to ensure service continuity.
Some organisations have seen a massive increase in remote working, including many people who have never done it before. They are also beginning to understand the immediate financial impact of these actions and are considering the ongoing costs.
Security functions will not escape the inevitable questions:
1. To save money, what activity can we stop?
2. To deal with the rapidly changing landscape, what activities should we accelerate?
3. Do we need to do something now that we didn’t need to before?
From a cost-cutting perspective, if you count beans for a living there are easy answers to this. For most organisations, where they fought hard to get that budget in the first place, it’s a tough call.
With respect to new or accelerated changes, there is now an urgency to making some of these decisions that intensifies the usual considerations around time, cost, and risk benefit.
One of our products, Security Assessment, is all about producing a prioritised set of security projects over a period of time (usually three years) to bring an organisation in line with its risk appetite.
That got me thinking. How could we use Security Assessment to help organisations deal with the current challenge? It can help determine which projects can be stopped (or delayed), which ones need to be accelerated, and the overall impact on risk.
I always stress the need to be in control – to understand the position and the impact. If some activities must stop, make sure to choose those with the least impact on the organisation’s risk position.
Let's get to the nitty gritty. The following is a snapshot of what we would consider if we were building your organisation’s service improvement programme (SIP):
1. The threats. What type of business are you? Who is out to cause you harm? This could change as criminals try to take advantage of the current situation.
2. Asset criticality. Protect your most critical first. One outcome of the current situation is that where organisations haven’t known what is critical to them before, they are starting to now.
3. Critical data. This should form part of the point above, but if it doesn’t for your type of organisation, you need to know where it is and how it’s protected.
4. Current control strength. Understanding how controls interact and overlay can be complex. Some decisions will come down to subjective judgement. We use our knowledge and experience to understand a position and assess how it can be improved.
5. The ‘big hitters.’ Where do you get the best return on investment, either in terms of cost or improved risk position?
6. Partial delivery. You may not need to complete the whole project. This ties in with point 1. It may be enough to roll out the key elements that protect the most critical assets and information.
From a ‘business as usual’ point of view remember that response is key. Have all your response plans been tested while in a business continuity position? If not, you may want to think about spending in this area as well.
Below are some other points we urge organisations to consider once they have received a service improvement programme from us using Security Assessment:
1. Be mindful of complexity. It can kill a delivery, and leaving a lot of intricate projects running can be a major drain on time and resources.
2. Understand any remediation overheads. Can you handle the fix volume required after a new or improved control has been implemented?
3. Review your budget allocations. Could you deliver some changes as OpEx rather than CapEx? That might allow you more flexibility with your overall spending.
4. Check for overlapping controls. Organisations often end up with a collection of tools that do multiple things. If yours overlap, consider rationalising to make cost savings and reduce complexity.
5. Look for help close by. If you struggle with quantifying the risk, get others involved. There will be expertise in risk and audit departments for example, and they might have extra capacity at the moment.
Every crisis provides an opportunity to reflect, grow, and improve. Keep in mind that right now you will have people's attention. It should all be focused on the critical components of the organisation. Don’t lose that focus when this is over and don’t waste the opportunity.
To help businesses during the current crisis, i-confidential is offering a complimentary virtual workshop. We will look at an organisation’s existing security investment plan and provide feedback.