All organizations today are worried about the security of their data and systems. As more data is collected, the requirements and expectations for proper access to data have grown. This is magnified by the growing media coverage of many spectacular breaches and compromise of large amounts of personal information. For an organization to be successful into this environment risk associated with data must be properly understood and managed.
Security is a difficult scope to define for most organizations because it varies widely based on industry-specific standards, regulation, cost components and local laws. Many organizations create a budget for security and it is up to specific departments to manage to that budget. Security should not be a budget, but rather a prioritization of exposure of the company and a balanced approach to each risk for the cost of incident response weighed against the cost of preventing an incident.
While the goal within all organizations should be zero incidents that cause data loss or compromise, this is a difficult goal because of an increasingly mobile and interconnected world. Organizations should begin with defining what the consequences of lost data are. Many organizations have data that falls on various places on a spectrum from no consequences, through reputation loss, all the way to legal consequences. Security planning and implementation should focus on the data sets with the highest level of consequences first.
Once the data with the most severe consequences has been identified, an organization should define the threats and actors associated with that data set and creating a risk to the data. By understanding these threats and actors, an organization can begin to define data protection standards and incident response plans that factor in organizational needs for business continuity and legal requirements for reporting to various agencies.
From these protection plans and incident response plans a cost can be identified to secure the data from compromise and respond to compromised systems. This process can be followed iteratively for all data sets and applications within an organization, creating a financial impact plan that can be prioritized to ensure spending focuses on the highest risk data and applications.
This exercise will enable your organizations CISO to closely align with peers including the CMO, CFO and CIO on prioritization of risk management to the organization. Alignment between the CISO and peers is critical to ensure that all parties understand the spending priorities, as well as how industry standards like privacy for their specific areas are affected by potential data loss. Proactive engagement also enables the CISO to properly plan for systems that are purchased and managed through lines of business like Marketing and Sales operations.
The final goal of a CISO should be to properly prioritize spending against the items that pose the highest risk to an organization. This risk comes from the cost of compromise and associated legal requirements for response. By partnering with peers, the CISO can properly plan which data is of highest value to protect within an organization and ensure that line of business purchased systems and tools are included in this prioritization.