Information Security Forum Report Tackles Business-Focused Security Assurance Programs
June 2019 by The Information Security Forum (ISF)
The Information Security Forum (ISF), trusted resource for executives and board members on cyber security and risk management, today announced the release of Establishing a Business-Focused Security Assurance Program, the organization’s latest report which explores how individuals responsible for providing security assurance in their organization can meet the specific needs of business stakeholders. This report equips organizations to establish and run a security assurance program that focuses on the needs of the business. This is accompished by outlining the need for change towards a business-focused approach, identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance.
Many organizations aspire to an approach that directly links security assurance with the needs of the business, demonstrating the level of value that security provides. However, there is often a significant gap between goals and reality. Improvement requires time and patience, but organizations do not need to start at the beginning. Most already have the basics of security assurance in place, meeting compliance obligations by evaluating the extent to which required controls have been implemented and identifying gaps or weaknesses. Establishing a Business-Focused Security Assurance Program explains how organizations can build on existing compliance-based approaches rather than replace them.
“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are,” said Steve Durbin, Managing Director, ISF. “A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”
Business-focused security assurance programs can build on existing compliance-based approaches by:
• Identifying the specific needs of different business stakeholders
• Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
• Reporting on security in a business context
• Leveraging skills, expertise and technology from within and outside the organization
Most organizations run a security assurance program of some kind, but implementation varies significantly. A successful, business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should actively engage with each other to make sure that requirements are realistic and expectations are understood by all.
“In today’s fast-moving business environment, filled with constantly evolving cyber threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences,” continued Durbin. “Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF Approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality.”
The ISF Approach to Establishing a Business-Focused Security Assurance Program is designed to be flexible, enabling individuals tasked with providing security assurance to ask the right questions of business leaders and perform the activities that will deliver the most pertinent results. By developing a flexible, repeatable security assurance process, organizations can promote continuous learning and improvement: lessons learned from one review can be applied elsewhere. Organizations can use the ISF Approach to begin providing the right level of confidence in controls.
This report is primarily directed at individuals who are tasked with providing security assurance for an organization. These can include security managers, security specialists, security architects, project/program managers, business analysts (within the IT department) and legal and regulatory compliance specialists. The report will also be of interest to individuals in senior management who have a governance and oversight role including the Chief Information Security Officer (CISO), Chief Information Officer (CIO), Chief Risk Officer (CRO) and Head of Audit. Establishing a Business-Focused Security Assurance Program is available now to ISF Member companies via the ISF website.
About the Information Security Forum
Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. The ISF is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. By working together, ISF Members avoid the major expenditure required to reach the same goals on their own. Consultancy services are available and provide ISF Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.