Leading a business is no easy job. Business leaders are under constant pressure and are faced with immense challenges. There’s pressure from employees, board members, customers, regulators, and peers. Everyone wants something, and everybody has a case to make. Everybody demands decisions, and these decisions must be good ones. One bad decision has the potential to erase the memory of hundreds of good ones.
In order to be empowered for good decision-making, business leaders need to consistently demand answers to the following four risk assessment questions:
- What is the current state of our information security program?
- What is the future/acceptable state of our information security program?
- When will we reach our future/acceptable state?
- How much will it cost us to reach our future/acceptable state?
BONUS: What are the most significant things we are addressing now?
The quality of our answers will allow them to make consistently good business decisions.
What is the current state of our information security program?
The current state of the information security program will depend upon the measurement that you’ve chosen to reflect it. Some organizations choose a maturity scale, threats, and/or vulnerabilities to measure; however, these are all just components of risk. Information security is about managing risk, so a complete measurement of risk would be ideal.
The funny thing about risk is that it’s relative. Risk cannot be eliminated, so we know that we can’t ever reach the top of our measurement scale. The same is true in the opposite direction.
If we use risk or risk level to communicate the current state of our information security program, then it only makes sense to communicate the results of a current information security risk assessment as the current state.
How the pros do it
Our chosen information security risk assessment methodology is provided by SecurityStudio®. The assessment creates a FISASCORE® that plots risk on a scale of 300 to 850.
Figure 1: FISASCORE depicted on the standard scale.
We prefer this method of communicating risk because business leaders can easily relate to its meaning. We can stand on the truth behind FISASCORE because all criteria are objective, it’s derived from well-known industry standards, the maintainers (SecurityStudio) have hundreds of years of combined information security experience, and it’s already being used by thousands of other organizations.
This assessment will serve as the measuring stick from which we will measure future state(s), until we cycle back to another full assessment.
Quick Answer for Management: The current state of our information security program is 628.20 (your FISASCORE) or “Fair.”
What is the future/acceptable state of our information security program?
This is a question that must be answered by the business. Information security professionals can suggest or recommend what “acceptable” is, but this isn’t ideal. Determining what an acceptable level of risk is in an organization is different for each organization, and it requires some work.
In a typical risk assessment, there may be dozens (or maybe hundreds) of significant risks that are cited. Decisions must be made about which of these risks are acceptable and which are not. It’s our job to work with business leaders to determine which are which. For those risks that are not acceptable, we need to determine if we’re going to mitigate, transfer (insure maybe), or avoid them.
These risk decisions will determine our future state. Each risk that is slated for mitigation, transfer, or avoidance will improve the state of the program.
How the pros do it
The point of an information security risk assessment isn’t only the assessment. An assessment is only a starting point for improvement. We coach business leaders in making decisions for each and every risk that is identified in the assessment. Every risk requires a decision: accept, mitigate, transfer, or avoid. Once risk decisions are made, the “acceptable” level of risk is determined.
Quick Answer for Management: The future/acceptable state of our information security program is a FISASCORE of 708.34
When will we reach our future/acceptable state?
Now that we know the acceptable state, we need to figure out when we can get there. Determination of the “when” will require commitment and good resource planning.
How the pros do it
We need to prioritize each risk decision that requires an action: mitigate, transfer, or avoid. In the previous step, we made the risk decisions with the business leader(s). There are really three steps in this process:
- Organizing like tasks (often recommendations from the risk assessment) into projects
- Prioritizing projects based on risk significance and business needs
- Plotting projects into a calendar (in quarters) based on priorities and resource constraints
The first time this is done, it can be a tedious endeavor. This is another reason to work with the pros! Resource constraints will come in two primary forms: personnel (or services) and/or hardware/software (or products). Some of the projects will likely require an investment in additional personnel (in-house or outsourced) and some will likely require the purchase of a product. Some organizations can afford to spend more on information security, resulting in more accomplishments in a shorter period, while others may need to move more slowly. The end result is a roadmap and trending of FISASCOREs.
There’s just one thing missing in this plan though: determining who’s going to do all the work. If we don’t assign the work to somebody, it’s not going to get done.
Quick Answer for Management: We will achieve our future/acceptable state by Q4/2019.
Assuming we’ve done our work well, we can even share our plans in a graph with trending, which makes things a little more impressive for management:
Figure 2: FISASCORE risk assessment trend depicting the planned future state of the information security program. The acceptable FISASCORE is highlighted. A new full FISASCORE is planned in Q3/2020.
How much will it cost us to reach our future/acceptable state?
Information security budgets are tricky for most organizations. The budget to move from the current state to the planned future state is relatively simple, at least for planning purposes. Resource constraints were identified (and hopefully documented) when determining when we will reach our future state, so now we need to get the numbers for any/all required investments.
How the pros do it
Investments to move from the current state to the desired state come in two forms: personnel costs and product costs (hardware and/or software). Some of the personnel costs will be spent on internal staff and some might be spent on consultants/outsourced personnel. The good thing about outsourcing is that we have something specific to hold them accountable to.
This forms the basis of our virtual Chief Information Security Officer (vCISO) service.
Quick Answer for Management: The cost to reach our future/acceptable state is estimated to be $650,000.
The Four Questions Together
The entire message to the board, in five minutes or less, ends up sounding something like this:
The current state of our information security program, as measured by FISASCORE is 628.20 (“Fair”). Our plan is to achieve a FISASCORE of 708.34 (“Good”) by Q4/2019 at a cost of $650,000.
It won’t be this simple the first time you communicate this to the board, but it does get this simple going forward. The next message in the next board meeting may sound something like this:
Our beginning FISASCORE® in Q2/2018 was 628.20 (“Fair”), and our planned FISASCORE is 708.34 (“Good”) by Q4/2019. We are currently under budget and on plan with a new FISASCORE of 657.47.
In order to be empowered for good decision-making, business leaders need to consistently demand answers for these risk assessment questions. As information security practitioners, we owe it to our business leaders and the board. As business leaders, we deserve this from our information security practitioners.
For more information about information security risk assessments, and how FRSecure can help answer these questions, visit frsecure.com.