The Evolution of Security Strategies

By James Christiansen ·

In my last blog post, I discussed how the role of the Chief Information Security Officer (CISO) has evolved into the Chief Information Risk Officer (CIRO), and the growing list of responsibilities associated with this evolution. This shift raises questions on how to structure reporting relationships that support open communication and collaboration between the CIRO and other areas of the business; and require the CIRO keep the board of directors informed of the risks the company is facing from security, privacy and regulatory threats.

Depending on company size, industry sector and security program maturity, different security strategies are being deployed across organizations today. The evolution of IT-based security programs, to compliance-based, to now threat and risk-based security programs illustrate the journey organizations take as their security programs mature and move toward a business-aligned program.

IT-Based Security Program This traditional approach focuses on the implementation of security technologies within the organization. The function of security is seen as a component of the IT team. The emphasis is on the infrastructure and keeping the internal systems secure.

Compliance-Based Security Program Organizations that are highly regulated focus their efforts on complying with security and privacy regulations. This is the most common program seen today; however, recent security events have shown that compliance does not equal security and it alone is not an effective strategy.

Risk-Based Security Program The best security programs are business-aligned. It is critical for organizations to understand the goals and objectives of the company and recognize the threats they face that hinder those objectives. Different organizations face different threats based on specific attributes. For example, a highly public-facing organization will have a greater likelihood of a DDoS attack than others, while organizations with significant size and complexity will have a larger probability of an APT attack. Combining the business goals, risks and threats is the key to developing a highly effective information risk program.

As organizations move toward this risk-based security approach, the CIRO will have many responsibilities that are not directly related to information technology. This is why it is necessary to shift away from the traditional reporting structure (where the CISO reports to the CIO) so that the CIRO is in a position to communicate directly to the board and other key executives in order to support the ongoing risk management of the organization. In my next blog post I will explore these reporting models and the benefits of this emerging structure.