Security assurance needs a business-focused approach
Business leaders want to be confident that their operations will continue running as normal without information being compromised. But in today’s fast-moving, interconnected world where the threat landscape is constantly evolving, security assurance programs often provide a false level of confidence.
The Information Security Forum (ISF) is releasing a new report, Establishing a Business-Focused Security Assurance Program which explores how individuals responsible for providing security assurance in their organization can meet the specific needs of business stakeholders.
"Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are," says Steve Durbin, Managing Director of the ISF. "A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence."
Most organizations run a security assurance program of some kind, but implementation varies significantly. A successful, business-focused security assurance program needs positive, collaborative working relationships throughout the organization. Security, business and IT leaders should actively engage with each other to make sure that requirements are realistic and expectations are understood by all.
Durbin adds, "Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF Approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality."
The full report is available from the ISF site.