02 October 2006

Operational Threat Matrix: The Mission Ready Many...

The results of the latest Global State of Information Security 2006 study are out, and much of the insight is not surprising.

The study by CSO, CIO and PricewaterhouseCoopers (PwC), with 7,791 respondents in 50 countries, indicates that an increasing number of executives (CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security) across all industries and in private- and public-sector organizations continue to make incremental improvements in deploying information security policies and technologies, although the rate of improvement is slower than in previous years. They're becoming more financially independent, with some security budgets increasing at double-digit rates. And they say they're more confident in their level of security, perhaps because their networks have not had a serious virus or worm in the past 12 months.


What you don’t know can hurt you. For the fourth consecutive year, there was an increase in the percentage of respondents throwing their hands up and saying they have no idea how much money their companies lost due to attacks. It's now up to 50 percent. Measuring an incident first requires defining a taxonomy on what an "incident is" and what an "incident is not". In other words, how can you measure something that has not been sufficiently defined in your organization. How do you know when an incident has occured?

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

The Mission
The organization shall develop, implement, maintain and continually improve a documented operational risk management system. Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away
While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization. Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in contstant control of how much incidents are costing the enterprise. Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly. If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

No comments:

Post a Comment