[...]... see the added value of basing your security program on a risk model Risk management is by no means a ubiquitous foundation for information security programs, but many visionaries in the field recognize that the future of information security has to be focused on risk decisions if we are to have any hope of combating the ever-changing threat landscape and constantly increasing business demands From an. .. understand how and when to apply them If they are spending all their time with enforcement, then either the educational aspects of the program are failing or they don’t have the necessary support from the leaders in the organization A major component of your security program will be identifying areas of the organization that don’t meet internal policies and standards, assessing the risk of noncompliance,... about the value of a risk- based approach to information security? Certainly, all the security products and service vendors have jumped on the risk bandwagon in full force As a profession, have we fallen behind the vendors or are they contributing to the false perception of risk management? In fact, walking on the expo floor of any major information security conference, the number of Security Risk Management. .. wonder whether security as a function will be carved up and absorbed into other business units Security Team Responsibilities Security teams should really approach an Information Security program as if they are consultants hired to help guide the business The majority of their time should be spent interpreting security policies and standards, and helping the organization The Death of Information Security. .. a Master of Science in Information Assurance from the National Security Agency certified program at Northeastern University Currently, Evan continues to promote the security industry as an instructor at both Clark and Northeastern Universities and as an instructor and author of the Information Security Risk Management course for the SANS Institute More details about his work and several free resources... security risk management programs from the ground up He currently leads the information security risk management program as Director of Information Security for Omgeo (A DTCC, Thomson Reuters Company), and he previously spent over 6 years supporting the US Department of Defense as a security consultant As a complement to this diverse experience in the field and his Computer Science degree from Georgia... book The Shangri-La of Risk Management The goal of risk management is to maximize the output of the organization (in terms of services, products, revenue, and so on) while minimizing the chance for unexpected outcomes There is no mention of eliminating risk because that just isn’t a reasonable goal Some organizations with low tolerance for risk have taken 7 8 CHAPTER 1 The Security Evolution the stance... perspective, risk management may seem like an obvious fit for information security, but, amazingly, within the profession, there are still debates regarding its merit HOW WE GOT HERE If you attend any industry conference or pick up any information security trade magazine, you will certainly see many references to risk assessments, risk analysis, and risk management So, how is it possible that many security. .. maximum appetite—for risk across the entire business So, if the organization wants to attempt a risky business venture that might provide a competitive advantage, then you have to reduce the organization’s risk in other areas to stay within that healthy range of risk tolerance The information security function’s role is to reduce the organization’s operating risk with sound information security practices... CHAPTER Risky Business 2 INFORMATION IN THIS CHAPTER • Applying Risk Management to Information Security • Business-Driven Security Program • Security as an Investment • Qualitative versus Quantitative INTRODUCTION A common view of the Information Security function is that it is all about encryption and firewalls We are perceived as the group that is always telling the business what they can’t do and is . Security Risk Management Building an Information Security Risk Management Program from the Ground Up Security Risk Management Building an Information Security. security risk management programs from the ground u p. He currently leads the information security risk management program as Director of Information Security