Last week, I announced the release of the RSA Archer Maturity Model series of white papers that discuss the different phases and the key capabilities organizations should pursue in building maturity across different segments of risk management. IT and Security risk is one of those key areas and for good reason. At this point, business and technology is inseparable. I have written about it before and the general consensus if you do a straw poll among any risk minded individuals is that business risk and IT risk range from inescapably linked to synonymous. So what does this have to do with Wally World?
The journey to maturity in IT Security Risk Management is much like the popular movie National Lampoon’s Vacation. For those of you unfamiliar with the movie (or haven’t seen it in ages), let me refresh your memory on the epic tale of the indomitable Griswold family as they embark on a cross country trip to the fabled amusement park “Wally World”. Along the way, our intrepid heroes fall into multiple calamitous events:
They take the wrong turn off the highway and end up in a dangerous, seedy part of town where their car is vandalized. (Sound like the business unit of yours that thought it was a good idea to outsource an IT initiative without security oversight?)
Clark, the beleaguered husband, becomes distracted by an attractive woman leading to disastrous results. (Ring any bells on that technology that promised to solve all your security issues only to become a quagmire of disillusionment?)
Upon reaching their destination, they find the park closed and their hopes of a fun family outing are smashed. (A reminder that not all strategies come to fruition as many times the rules change, the business evolves, or the plan just doesn’t work out.)
There are several instances in the movie that could draw a parallel with organizations’ struggle to achieve risk management maturity. My point is that any journey you undertake has its pitfalls and obstacles. No journey, including the drive for maturity in your IT Security Risk program, will avoid every setback. However, a journey well planned is a destination half reached.
The RSA Archer IT Security Risk Management maturity model focuses on four key capabilities that enable a sustainable, agile program:
Establish business context for security;
Establish security policies and standards;
Identify and resolve security deficiencies; and
Detect and respond to attacks.
An organization focusing on these competencies sets itself apart from the reactive, compliance driven security function and positions the security capabilities to deal with the growing IT Security risk. A security function that understands the business context of security requirements and issues can prioritize efforts, marshal the right resources and drive controls to the most important part of the business. Policies and standards set the bar for an organization and, when aligned with both regulatory and corporate compliance, become the foundation for a maintainable program. Protecting resources requires stout security defenses with limited deficiencies. Finally, no fortification is impenetrable and the organization must be able to detect and respond when attacks pierce the barricades. There are many moving parts in this strategy and the journey is substantial. But just like the Griswolds chasing their dream vacation, organizations seek to avoid complications and reach their Wally World – a technically strong, business agile security function that becomes a competitive advantage for the company.