Applying a Business-Driven Security approach enables organizations to more intelligently allocate limited resources to the biggest information security risks. While no organization can achieve its objectives without taking risks, the risk-taking must be well understood and managed to ensure that it is appropriate to achieve the organization’s objectives without jeopardizing the organization’s existence. Organizations can optimize this balance by embracing business risk management — applying governance, risk and compliance (GRC) concepts and best practices and implementing a framework to collect and organize information that is relevant for management of information security risk.
Business risk management makes GRC actionable, enabling organizations to improve business performance through reduced risk and more informed decision making. Organizations can define and enforce accountability for risk and compliance issues, and drive efficiencies by automating processes. It also provides collaboration on risk issues across business lines and organizational boundaries and improves visibility by consolidating data and enabling risk analytics across the organization.
Business-Driven Security relies on the implementation of a framework for collecting and organizing information relevant to information risk management. A business risk management framework is a catalog of the organizational elements and their interrelationships that are necessary to ensure the success of the organization meeting its objectives and managing its risk and compliance obligations. These elements include strategies and objectives, products and services, policies and procedures, authoritative sources, business processes and sub-processes, third parties, and IT infrastructure elements (web services, IT software applications, IT systems, databases, and data stores both inside and outside of the cloud), and risks and controls.