As the information breach at the NSA has shown all too well, no security is perfect. Effective security policy and measures can provide strong security, but not absolute security. Which means that organizations need to know just what risks they are actually taking. The traditional yes-or-no approach of information security professionals does not provide all the information needed: A risk management approach may serve organizations better.
As Robb Reck blogs at Infosec Island, the traditional role of security professionals is to serve as gatekeepers. They assess a project, whether a new software release or a new business plan, and either approve it from a security perspective, or downcheck it and send it back to the drawing board.
Reck, who has worked in leadership roles in both information security and risk management, believes that this is the wrong approach, and that gatekeeping does not provide the best real-world security. The risk assessment approach to risks of all sorts is to measure and project levels of risk. Organizational leaders can then apply that assessment to decide just how risky a project is. And whether those are risks that they are prepared to take.
The traditional yes-or-no, black-or-white approach to security, argues Reck, gives too much power to security teams – and not in a way helpful to either the organization or its data security. The traditional approach essentially gives security professionals the Power of No. They can stop a project in its tracks, even though they don't know the whole big picture.
A more effective role and power is to provide a measured assessement of security concerns and risks. Some data needs a moderate degree of protection. Other data requires much more stringent protection. And changes in business strategy, for example in uses of customer information, can make previously low-risk databases much more sensitive and high-risk.
At GRT Corporation our years of experience with information security have confirmed for us that it is indeed not a product, but a process. We can help you measure and assess the potential information security risks that your organization may face, and what protective measures can reduce these risks to an acceptable level.