Achieving total security in an organization is impossible.
Once you have accepted this simple (but often hard-to-swallow) fact, you can move forward with a risk-based security strategy, in which priorities are established and decisions are made through a process of evaluating the sensitivity of data, the vulnerability of systems and applications, and the likelihood of threats. By making risk-based decisions, security organizations can develop more practical and realistic security goals, and spend their resources in a more effective way.
Addressing real risk is not a new concept: Most capable IT departments already factor risk and prioritization into the way they deploy services and security policy. But few formalize risk assessment and asset prioritization into each and every purchasing and policy decision they make.
Risk-based security strategy, or RBSS, is a broad term that's often used to describe efforts to implement a practical approach to protecting assets that really matter while avoiding spending budget on assets that don't matter.
In theory, all of this makes sense: Businesses that waste resources on unprofitable products go out of business. In a similar fashion, IT can become a much more effective partner to the business by deploying its resources and expertise in an intelligent and cost-effective manner.
In practice, a risk-based security strategy takes careful planning and ongoing monitoring and assessment. It doesn't have to be an overly complex process, but it's certainly not something that security professionals can take lightly -- or take on themselves. If your organization is fortunate enough to have an influential CIO who understands the business intimately, then perhaps IT can effectively drive a risk assessment project. But, in general, IT should be a facilitator in this process.
Step 1 is to determine the value of your assets. The value of an application or other digital asset in terms of real dollars is sometimes difficult to quantify, but you don't necessarily need to focus on a metric like value. It could just as easily be something like "revenue lost." For example, if your CFO tells you that he thinks the business will lose $50,000 per hour if an order-entry system is compromised, that's a lot different than your VP of HR telling you that staff will be "inconvenienced" if a particular HR package is unavailable for 24 hours.
When factoring risk into your security strategy, you need to rely on certain metrics and variables to guide the way as you deploy IT resources. At the end of the day, you may find that you've deployed top-tier security tools and lots of high-availability capabilities for resources that really don't need it. Conversely, you may also discover that your $50,000-perhour order-entry system is minimally protected and lacks the required high availability resources needed to survive a hardware glitch.
Taking an inventory and appraisal of all your key systems and data sources is a critical first step in developing an approach to security that takes risk into account as a primary factor.
To read a detailed description of all six steps involved in building a risk-based security strategy -- as well as some advice on how to get started -- download the free report on developing a risk-based security strategy.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.