Security risk management: EMC latest SBIC report offers recommendations to overhaul outdated and inadequate information security processes

The security division of EMC released its latest security report this week. The aim of EMC security division’s  latest Security for Business Innovation Council (SBIC) report is to provide guidance on how organisations can gain competitive advantage by transforming many of the outdated and inflexible IT security processes which govern the use and protection of information assets. The report entitled ‘Transforming Information Security: Future-Proofing Processes’ highlights many of the key challenges, upgraded techniques and actionable recommendations that businesses can use to plan and build new processes which should help organisations gain business advantage and more effectively manage cyber risks.

The success of any business is dependent on the adequate management of information risk. Whilst the report acknowledges that many business groups within organisations are now taking greater ownership of information risk management, it accepts that there are still inherent inadequacies in many security risk management policies and procedures. EMC argues that outdated security processes are hindering business innovation and making it increasingly difficult to combat new cyber-security risks. EMC security division’s guidance encourages information security teams to collaborate more closely with functional business groups to establish new systems and processes which will help to identify, evaluate, and track cyber risks faster and with greater accuracy. The focus of this latest report is to identify the security process areas like risk measurement, business engagement, control assessments, third-party risk assessments, and threat detection that need to be improved.

SBIC recommends that businesses should:

  • Move the focus from technical assets to critical business processes. This shift in focus should broaden what is often a very myopic view of information asset protection, and provide a more accurate picture of how the businesses use and document critical information processes.
  • Institute business estimates of cybersecurity risks
  • Ensure that any assessment of cyber-security risk pulls no punches and is evaluated in terms of threat to business interest. Security risk management teams should then integrate these business impact estimates into the risk-advisory process.
  • Establish business-centric risk assessments
  • Adopt automated tools for tracking information risks so the business can take an active hand in identifying danger and mitigating risks and thus assume greater responsibility for security.
  • Should be aiming for evidence-based controls assurance
  • Develop and document capabilities to amass data that proves the efficacy of controls on a continuous basis.
  • Develop informed data collection techniques
  • Aim for data architecture that will enhance visibility and enrich analytics, and consider the types of questions data analytics can answer in order to identify relevant sources of data.

Art Coviello, executive vice president and executive chairman of the Security Division of EMC, introduced the latest report, saying:

“For the enterprise to successfully innovate in today’s digital world, security teams must re-evaluate cyber risk management efforts, steering away from reactive, perimeter-based approaches that are inflexible, and focus instead on proactive collaboration with the business. Updated processes as described by the Council can help organizations achieve a greater visibility of risk that can be harnessed to benefit the business.”

Dave Martin, vice president and chief Information Security Officer of EMC Corporation added:

“Documenting business processes has to be a collaborative effort, to accurately reflect what the risks to the system [are]. We’ll never understand the business value of the information to the same degree as the business owner, and they’ll never understand the threats to the same degree as the security team.”

If your business needs help with security reviews, penetration testing or web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].