Five Value-enhancing Adjustments for Information Risk and Security Programs and Professionals

For information risk and security programs and professionals to continue to stay relevant, provide value and be effective in the organizations they support, they must regularly adjust their approach. Organizations are constantly maturing and evolving, while simultaneously changing their activities, expectations and requirements. The most effective way for risk and security professionals to support programs is to mature, evolve and change with them. Consider these 5 adjustments that risk and security programs and professionals can implement to continue to be valuable and beneficial to their organizations:

1. Organize under enterprise risk management (ERM) functions—Information risk and security should be considered and organized under an ERM function within an organization instead of a technology function. In many organizations, the information risk and security programs and their associated professionals are organized as part of IT groups led by technology leaders (e.g., chief information officers). This potentially limits the risk and security professional’s scope and can create a conflict of interest and tension between them and the technology leaders they are supposed to support. As a result, the information risk and security professional may not be viewed as a valued asset by the technology leader, which could result in punitive action or lack of trust, as IT leaders may not believe information risk and security professionals are properly supporting their views or initiatives.
2. Present information that the organization really wants—Instead of assuming what business leaders and stakeholders want to know about information risk and security, ask them. It is often the case that information risk and security professionals either assume they know the insights and information that their constituents and stakeholders are interested in or that these individuals are not knowledgeable enough to ask for the right things. Regardless of the scenario, collaboration will help both groups build stronger relationships and understand how to interact with each other more effectively.
3. Articulate threat, vulnerability and then risk—Risk and security professionals commonly make the mistake of speaking about risk when they really are representing their insights and analysis concerning threats and vulnerabilities. The determination of a risk to an organization includes threat and vulnerability information, but also incorporates important data points such as business impact analysis if the threat is realized or vulnerability is exploited, business value and strategy, and calibration with the organization’s overall risk appetite. If these information risk and security professionals do not have a current and credible understanding of business considerations and tolerances, they cannot be expected to provide accurate representations of risk to their constituents and stakeholders.
4. Use a consultative approach—Information risk and security professionals are often perceived as being authoritative and unapproachable in many organizations. This is especially true when they are restricting individuals from pursuing a course of action or activity. An effective approach to removing this stigma is to integrate a consultative element into the information risk and security program or activities. This will assist the risk and security professional in building strong relationships, allowing them to provide useful advice and guidance, and be present and active in business activities on a regular basis instead of only at decision or review points. A consultative element will also provide the organization with an interface into the risk and security program where they can ask questions, develop and collaborate on ideas, and proactively engage to ensure they not only understand information risk and security expectations and requirements, but also the reasons for their existence.
5. Embrace, but educate—Instead of saying no to new technologies, ideas and capabilities in the name of security, try to find a way to say yes. Individuals within the organization often assume that the position of the risk and security professional or program is to restrict the use of new technologies, ideas and capabilities. A more effective approach is to embrace technological changes while at the same time educating the individuals who want to use new technologies about the appropriate information risk and security considerations, concerns and requirements that need to be accommodated as part of their use. This will empower individuals to able to make informed decisions about the use of these resources and, at the same time, ensure they are aware of their risk and security obligations.

Information risk and security programs and professionals need to continue to enhance their value proposition to the organizations and individuals they support so they can continue to be effective and relevant. The fundamental organization, policies, standards, functions and control frameworks to support information risk management and security are typically already in place in most organizations. What may be missing are the adjustments in approach and capability that are required to operate security programs effectively so that they are viewed as a benefit and not as a burden to the organizations and individuals they support.

John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.

[ISACA Volume 23]