How To Fix Outdated IT Security Processes

by CXOtoday News Desk    Jan 14, 2014


Companies having outdated information security systems are often at a greater risk than those that update their security processes on a regular basis. A new report released jointly by security firm RSA and Security for Business Innovation Council (SBIC) states that organizations should not only transform their  outdated security processes to help neutralize cyber risks and threats, but also have a strong collaboration between teams – especially the CXOs and security teams - to identify and evaluate cyber risks in order to gain competitive advantage.

The report observes that business groups within organizations are taking greater ownership of information risk management. However outdated security processes are hindering business innovation and make it difficult to combat new cyber security risks. The Council offers guidance calling for information security teams to collaborate more closely with functional business groups to establish new systems and processes to help identify, evaluate, and track cyber risks faster and with greater accuracy.

The Council also offers five recommendations for how to move information security programs forward to help business groups exploit risk for competitive advantage:

From technical assets to critical business processes

Researchers have advised organizations to shift focus from technical assets to critical business processes. In other words, CXOs and security teams should expand beyond a technical, myopic view of protecting information assets and get a broader picture of how they can use information by working with business units to document critical business processes.

 Institute business estimates of cybersecurity risks

According to the report, it is essential for companies to describe cybersecurity risks in hard-hitting, quantified business terms and integrate these business impact estimates into the risk-advisory process.

Establish business-centric risk assessments

Companies that have deployed automated tools for tracking information risks are in a better position, say researchers. In such a scenario, they believe that business units can take an active hand in identifying danger and mitigating risks and thus assume greater responsibility for security.

Set a course for evidence-based controls assurance

To mitigate risks, the report recommends organizations to create and document capabilities to collect data. This technique according to the researchers can prove the efficacy of controls on a continuous basis.

Develop informed data collection techniques

Companies are also required to set a course for data architecture that can enhance visibility and enrich analytics, according to the report. Researchers recommend that companies should consider the types of questions data analytics can answer in order to identify relevant sources of data.

The report also states that the areas ripe for security process improvement include risk measurement, business engagement, control assessments, third-party risk assessments and threat detection.