In discussions with customers over the past few weeks the question of how much security is enough for a given organization has been raised repeatedly. Contrary to the opinion of some in the industry, this really is not a mysterious issue. To understand what is enough security requires understanding an acceptable risk level for a company. Building that understanding is the heart of a risk management process. At a high level, an enterprise must understand business drivers, business requirements, regulatory requirements and analyze risks and threats on an ongoing basis. The diagram below illustrates this concept.
• identifying corporate assets
• assign a value to each asset
• identifying each asset’s vulnerabilities and threats
• determine the risk for the identified assets
Upon completion of this process the risk analysis team can determine what’s necessary to mitigate the risks, analyze the benefits of security countermeasures and work with management to make a decision appropriate for the business.
Mitigating risk through security countermeasures such as additional controls is just one option. The organization can decide to accept the risk, avoid the risk (perhaps by exiting a particular business) or transfer the risk by purchasing insurance.
An important element of this process is to understand the relationship between security threats, business goals, legal requirements and regulatory requirements. The risk management team must ask the question – how can security threats negatively affect business goals? They must also ask what impact does legal and regulatory requirements have upon business goals? Synthesizing the answer helps define the acceptable risk level for the business. Understanding the acceptable risk level is the key to answering the question of how much security is enough.