New ISSA President Sets 3-Point Agenda#1 Challenge: Understand True Information Risk
Kevin Richards, head of the Information Systems Security Association (ISSA), in an exclusive interview, says he sees some fundamental areas where everyone is struggling against information security threats to their organizations. Richards, a risk management advisor with Crowe Horwath, replaced former ISSA head Howard Schmidt, who is now President Barack Obama's cyber security coordinator. ISSA has 10,000 members in more than 70 countries.
Areas where Richards says information security professionals need to focus include:
Understand Information Risk - Understanding what information, what data they have as an organization and identify what it is and where it resides. "Organizations are struggling with getting that inventory of what is it I have, where is it, how am I protecting it and what is the impact to the organization if it gets lost," Richards says. Organizations have to know what their real exposure is, and are struggling to get their arms around that idea.
Setting a Perimeter - Richards cites the explosion of mobile technologies, smart phones or thumb drives. "You have to define where the endpoint is. Is the endpoint part of the cloud? Is the endpoint a laptop?" The organization must know what it is that needs to be protected."
The days of having a "set perimeter" that the organization could build a wall around or dig a moat to protect "has been gone for years, and "with this explosion of technologies. I think that organizations are really having challenges trying to define that endpoint and define a security strategy," Richards says. The security plan has to be balanced to enable the business, but allow it to meet security and risk management objectives. He sees the security perimeter is still a big threat area for organizations.
Bridge the Gap - Between the traditional information security infrastructure and the organization's enterprise risk management framework. "How can I explain to the business: Here are my exposures, both technical, process, and getting management's understanding and buy in and commitment to get the appropriate funding to build those protection area controls in place?" The threat, Richards says, sometimes comes from the lack of understanding at an executive level as to what the organization's real exposures are. Richards concludes that info sec pros need to "bridge that gap so areas are being protected in a way that best supports the business risk objectives."