A mature information security program is built around an organization's understanding of risk in the context of the needs of the business.
This risk-based cybersecurity approach can be used as one of the main methods of objectively identifying what security controls to apply, where they should be applied and when they should be applied. After all, it is difficult to defend against something when you don't prioritize or know what that something is that requires defending, where and when that something is, and how or what methods are available to defend it with.
Unfortunately this type of approach is not being properly implemented due to its sophisticated nature. In fact, according to a recent Ponemon report, 50 percent of IT and security personnel do not believe risk management is aligned with their organization's goals.
As a result, SecureWorks felt it would be useful to provide a step-by-step process that details the stages and subsequent substages used in identifying the key components needed to implement a risk-based security approach.
Topics covered in implementing a risk-based security approach:
- Prioritize Your Information Assets and Processes
- Identify and Prioritize Risks
- Implement Foundational Security Controls Across Those Key Assets
- Build a Targeted Security Capability Model
- Develop the Security Improvement Roadmap
- Ensure Governance and Organization Engagement