Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Nikki Haley didn't see information risk management as a key part of her job when she was sworn in as South Carolina governor two years ago. But a breach of the state tax system, in which a hacker exposed the records of nearly 4 million taxpayers, changed all that.
"When something goes wrong, that's when you notice," the governor says.
Whether out of a sincere sense of duty to serve her constituents or a calculated move to save her political neck to placate angry voters, or both, the breach catapulted Haley into a position of leadership on safeguarding the state's digital assets. It's a choice most chief executives don't make voluntarily - and that's a mistake (see The Infosec Education of Nikki Haley).
In light of growing threats and the increasing complexity of information technology, organizations - whether in the public or private sectors - must get everyone in the enterprise, especially its top leaders, involved in assessing and managing information risk (see: Top Threats: The 2013 Outlook).
An effective approach to risk management must go far beyond siloing the management of risk within different departments. And when assessing and managing risk, steps must be taken to ensure that everyone is using the same lingo to avoid getting tripped up by jargon.
Organizations that lack an effective, updated enterprise risk management strategy place their missions - as well as their bottom lines - in jeopardy.
"Information risk management is a business function, not a technology one," says Ron Ross, a fellow at the U.S. federal government's National Institute of Standards and Technology and a top authority on information risk management (see Risk Management Framework: Learn from NIST).
And, as a business function, every key player in the enterprise - including the CEO, business-process owners, IT and information security executives and managers; individuals who design and maintain systems; as well as those who acquire technology - must be involved in the risk management and assessment process.
Selected representatives of these key players should form the team that will conduct the risk assessment.
The team must identify threat sources and vulnerabilities and determine the likelihood of occurrence and the magnitude of their impact on the organization. It's vital that the team communicate regularly their findings to others in the enterprise, especially top executives and business-process owners. And they must regularly update risk assessments because threats, vulnerabilities and systems change.
To underscore this approach, in October, NIST issued the latest version of its risk assessment guidance, Special Publication 800-30.
Other guidance is available from the International Organization of Standards and the International Electrotechnical Commission, which jointly published a guide on risk assessment techniques, ISO/IEC 31010. And ISACA, a global association of IT audit, risk, governance and security professionals, offers risk assessment guidance through its Risk IT Framework publication.
The threat landscape is evolving rapidly, and that's having an impact on the way organizations function.
The ongoing spate of distributed-denial-of-service attacks against U.S. banks has meant millions of customers couldn't transact business online. That kind of disruption can have an impact on a business' bottom line and reputation (see The New Wave of DDoS Attacks: How to Prepare and Respond).
Supply chain disruptions could result in tampered computer components being installed in information systems to allow nation-states, cyberthieves or competitors to pilfer trade secrets and other intellectual property (see Ensuring Integrity of IT Supply Chain).
New forms of malware - ransomware, for instance - scare users to surrender sensitive information.