- Know your threats – All threats are not created equal, nor is the probability of occurrence and impact to business operations. Metrics need to be established against these threat vectors in the form of measures and scorecards which reflect the organization’s ability to defend against the threats.
- Determine the vulnerabilities – Arrange for a trusted third party to perform targeted evaluations of different aspects of the infrastructure such as IT, business and operations, wireless, social engineering, Internet and intranet scanning, web applications, commercial off the shelf software, databases, policy reviews, physical security and so forth. Interviews with executives will obtain information on the assets that they are most concerned about and represent the highest risk.
- Develop the control lifecycle strategy for the assets – Risk mitigation strategies of prevention, detection, containment, education and control enhancement need to be defined to formalize how the risks are being mitigated.
- Integrate strategy with the business – Measurable risk-reduction efforts that are championed by key business executives will increase the likelihood that the plan does not become overwhelmed by other priorities and become shelf-ware. Active engagement of the management members in developing and executing the strategy is essential.
- Short term payoff - Consider pilots, proof-of concepts, and prototypes to implement the plan. This provides visibility into the longer term security program and can demonstrate the payback opportunities earlier in the project cycle, reducing the risk of project cancellations.
- Regulation Review – Strategies should be continually reviewed against regulations and emerging control frameworks to ensure that the current regulatory environment is being reflected, as well as being in alignment with the collective industry knowledge.
Popularity: 1%
