A change in mindset is needed among executives if enterprises are to deal with the challenges of information security, a top information risk strategist warned today.
“Security by compliance is no longer working,” said John Pironti, who is president of IP Architects and is one of the security professionals behind the Information Systems Audit and Control Association.
“The number and impact of security breaches have dramatically increased in the last couple of years, even though companies were in compliance with standards like PCI, GLBA, FFIEC, FISMA and others.” He said more input was called for from business executives, instead of organisations relying solely on security professionals and regulators to shape their security posture.
“We need to stop thinking about information security and start thinking about information risk management,” Pironti said.
Earlier in the year a report recommended that there should be a senior management team whose job it is to manage risk, and that that group should be prioritising risks, improving controls, and automating procedures. The team should also be continuously assessing controls and risks, leveraging technical controls, policies and IT change management and carrying out comprehensive reporting.
The outcome of this coordinated approach to risk should be fewer incidents of data loss or theft, lower levels of business downtime and fewer problems with regulatory audit in IT, the IT Policy Compliance Group (ITPCG) said in its report.
At ISACA’s International Conference today the body unveiled Risk-IT, a new IT enterprise risk management framework which will be publicly available as a free download in September.
The new Risk-IT guide will map out a framework for enterprises to help executives decide how best to identify, govern and manage IT risk. It includes proposals that give end-to-end guidance on how to manage IT-related risks, beyond purely technical control measures and security. The guide will also help IT staffs understand how they can capitalise on an investment made in an IT internal control system already in place to manage IT-related risk.