The process to achieve improved security begins with choosing a framework effective at managing risks unique to your organization. Simply implementing compliance standards might keep an organization above the minimum threshold established by regulators, but these standards are the bare minimum for protection and are insufficient in today’s environment.

Protecting Critical Information

While all organizations could benefit from a risk management program, a program focused on identifying and preparing for potential threats, some industries face an inherent heightened risk of adversaries targeting their protected data. Those working in critical infrastructure industries, such as water or electrical utilities, are required to meet established compliance standards; having a risk management program can improve security of sensitive information and provide for continued services vital for community members.

Choosing a Framework for Optimal Risk Management

Steady Foundation

The first step in creating an effective risk management program is choosing a framework that will cover the needs of the organization. A framework sets the foundation for an effective risk management program and enables the organization to identify and assess the threats they might be facing.

A framework acts as a lens through which the rest of the risk management program can be viewed. The foundation chosen, whether NIST, ISO, C2M2 or one of the other many options, should remain consistent to enable the view of an organization’s risks over time. Without consistent use throughout, an organization is building measurements on shifting sand, as each framework looks at risk and defines program elements in different ways. Once the foundation is settled, your team will then be provided a defined set of reference points upon which to base the rest of the risk management program.

A framework supports the analysis of the risk management program’s maturity by comparing the organization’s current controls and identifies additional measures that could be taken to improve the program. The framework can then provide the foundation needed to forecast the organization’s future state in reaction to evolving control deployments and threats.

It is important to note that compliance standards are not frameworks. Compliance requirements establish minimum thresholds for acceptable behavior by or within an organization. The requirements measure effectiveness as a binary decision — either an organization is compliant or it’s not — but there is no extra credit for exceeding the minimum requirement. However, a framework can identify the next steps needed to create an improved risk management program and showcase the program’s evolution to senior leadership.

 

Security is a complicated issue regardless of organization size or type of work. An integrated team can help sort through the complexity and provide a solution fit for your organization’s unique needs. 

Learn More

by
Kevin Fuller is managing director for security and risk consulting at 1898 & Co., part of Burns & McDonnell. He has more than 20 years of experience in developing and implementing security strategies and providing physical and cybersecurity solutions across multiple industries and markets. He has a Bachelor of Science in business administration from Truman State University and a Master of Science in information management from Washington University in St. Louis, as well as a Master’s Certification in information assurance from the University of Maryland.