Develop and Implement a Security Risk Management Program
With great risk management comes a great security program.
- To build an information security program, the organization must have a strong understanding of the risks it faces to help prioritize the controls or initiatives.
- Security risk is often difficult for business leaders to understand, as it falls out of the realm of their typical expertise.
- There is no one universal framework or methodology that can be used when it comes to risk management.
- Much of assessing and managing risk comes from making assumptions around certain threats, which are often weakly informed.
Our Advice
Critical Insight
- The best security programs are built on defensible risk management. These can ensure security decisions are made based on risk reduction benefit instead of frameworks alone.
- All risks can be quantified and incorporated into Info-Tech’s defensible model.
- Security risk management allows organizations to go from security uncertainty to saying confidently whether or not they are providing the correct level of security.
Impact and Result
- Develop a security risk management program to properly assess and manage the risks that affect your information systems.
- Tie together all the aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.
- Move away from framework-driven security programs and build a program that is based on the unique risk profile of your organization.
- Use Info-Tech’s Security Risk Register Tool to track all the different threats to the organization and understand what is above or below an acceptable level of risk.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Establish the risk environment
- Call 1: Have a project kick-off call.
- Call 2: Establish risk management responsibilities.
- Call 3: Establish the information security risk tolerance.
Guided Implementation 2: Build the security risk register
- Call 1: Begin building the risk register through risk identification.
- Call 2: Evaluate the risk results and review aggregate risk level.
Guided Implementation 3: Manage and communicate the risk register results
- Call 1: Secure the risk register.
- Call 2: Communicate conclusions drawn from risk register.
- Call 3: Leverage risk conclusions in security decisions.
Contributors
- Robert Banniza, Senior Director – IT Center Security, AMSURG
- Robert Hawk, Information Security Expert, xMatters, inc
- Joey LaCour, CISO, Colonial Savings, F.A.
- Sky Sharma, Cyber Security Advocate
- 1 additional anonymous contributor
Develop and Implement a Security Incident Management Program
Build Resilience Against Ransomware Attacks
Build a Vendor Security Assessment Service
Implement Risk-Based Vulnerability Management
Design a Tabletop Exercise to Support Your Security Operation
Master Your Security Incident Response Communications Program
Design a Coordinated Vulnerability Disclosure Program