Businesses Are Bad At Risk-Assessment, And That's Good For The Channel


Businesses are failing to effectively measure their security risks and document their critical business processes, according to a new report issued by a group of top security leaders.

The failure to do so often leaves weaknesses that can be used by an attacker to gain access to corporate resources, according to the report, "Transforming Information Security, Future-Proofing Processes," (.PDF) issued this week by the Security for Business Innovation Council. The organization, formed by RSA Security, is made up of chief information security officers at a variety of high-profile businesses. It recommends steps that businesses can take to improve their information security programs.

Security-minded consultancies, service providers and systems integrators told CRN that many of the best practices outlined in the document hit at the core of the advice they provide to clients. Typically, a positive engagement involves working with business executives and IT leaders during a thorough risk assessment of their environment, they said.

[Related: Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report]

Rather than thinking about protecting information assets, such as applications and servers, consider protecting critical business processes, the report said. The shift in focus forces people within the organization to consider how data flows and the critical processes in place that could be bypassed. Taking an overall assessment and considering the core processes helps organizations think about building security in rather than bolting it on, said J.J. Thompson, managing director and CEO of Rook Security, a solution provider that has built its core security consulting practice on conducting audits, penetration tests and risk assessments. Thompson said many of his clients are seeking assistance in conducting a complete re-engineering of their security architecture.

"They don't want to maintain status quo when it comes to security; they have a vision for something that is much greater and it doesn't necessarily mean that they are buying and deploying a new security appliance," Thompson said. "It's interesting because the more that we've focused on the business side and metrics with security transformation services, the more organic growth we began to see."

The security team needs to work with managers within the business units to document critical business processes. Once critical business processes are identified they can be regularly updated when changes take place, according to the report. In addition, the council advises businesses to consider an impact discussion to quantify risk and project potential monetary losses. The goal is to get business units already making decisions about critical processes to make risk-based decisions, the report said.

Organizations don't have to invest in a massive new security suite, said Chris Camejo, director of consulting and professional services at NTT Com Security. Once the business has a handle on where the data is and who has access, security controls can focus on the people handling the data, said Camejo, who leads a team of assessors that conduct compliance audits.

"Most organizations have been trying to secure everything up until this point," said Camejo, adding that many businesses have been reconsidering that strategy.

The report also urges organizations to automate the process using governance risk and compliance tools, which are designed to continuously monitor systems to measure their security posture so security teams can develop a priority list. The tools also are designed to document security controls, giving auditors a central location to view evidence that minimum security standards are being met.

Small businesses often turn to solution providers for help because their security programs are in disarray or almost nonexistent, said Don Gray, chief security strategist at managed security service provider Solutionary. The process of improving or even fine-tuning an information security program is often complex and multifaceted, Gray told CRN.

"Understanding what truly are the assets in the organization is what comes first and that takes a careful discussion with the business side to get a clear picture of what is important and what isn't," Gray said.

PUBLISHED DEC. 12, 2013