A mature information security programme is built around an organisation's understanding of risk in the context of the needs of the business.
This risk-based security approach can be used as one of the main methods of objectively identifying what security controls to apply, where they should be applied and when they should be applied. After all, it is difficult to defend against something when you don’t prioritise or know what that something is that requires defending, where and when that something is, and how or what methods are available to defend it with.
Unfortunately, this type of approach is not being properly implemented due to its sophisticated nature. In fact, according to a recent Ponemon report, 50 percent of IT and security personnel do not believe risk management is aligned with their organisation’s goals.
As a result, SecureWorks felt it would be useful to provide a step-by-step process that details the stages and subsequent sub-stages used in identifying the key components needed to implement a risk-based security approach.
Topics covered in implementing a risk-based security approach:
- Prioritise Your Information Assets and Processes
- Identify and Prioritise Risks
- Implement Foundational Security Controls Across Those Key Assets
- Build a Targeted Security Capability Model
- Develop the Security Improvement Roadmap
- Ensure Governance and Organisation Engagement