Put another way, everyone owns various types of property but you don’t want to invest the same amount of your resource to protect everything you own. You intuitively know which of your belongings you’re comfortable leaving on the front lawn overnight and which you want to make sure are locked up safe and sound at the end of the day.
That thought process is akin to applying a business risk framework - you can drive yourself crazy by treating everything equally, or objectively apply your limited resource in a business oriented way through effective risk “scoping”.
One crucial element in this process is to “show your work” by articulating the criteria and decision process you are using to evaluate risk. This kind of transparency enables others in the organization to evaluate risk on their own while coming to similar answers about the relative risk of assets involved in the business. A repeatable, objective model is essential not only for scaling as the business grows; it also allows you to delegate accountability for risk through many levels of the organization.
Use compliance as a lever to unlock funding for your most important security projects. Nothing gets budget like an ultimatum with the potential for negative consequences.
Another important lesson involves “scoping,” in which we strive to create logical boundaries that enable us to manage segments of our infrastructure according to risk. Look at PCI DSS, which was about applying good security practises in the environment to protect credit card data. As guidance from the PCI Council has evolved over the last decade, there has been a deliberate emphasis on scoping in the environment to help reduce the footprint of systems involved in credit card transactions. This scoping process has made it easier to invest for PCI, as fewer systems are involved which enables a less costly and resource-intensive approach to security.
In evaluating scope, risk, and cost this objective approach enables businesses to evaluate whether they would rather pay to resolve an issue or decide if they are happy to pay the fine. In some circumstances, this approach has negative consequences, but in many organizations it has actually improved the situation by making compliance more of a collaborative, business-focused exercise where you have to sit in a war room and discuss risk in a cross-functional way.
Once the business agrees on the top priorities to be funded, as well as the implications of non-compliance, the budget discussion becomes much easier.
In scoping, one area that is often overlooked involves risks associated with a third party. If you have external payment processors, or leverage banks in a model in which a third-party clearing house manages everyone’s data inevitably there will be complex overlaps. Remember that you are still responsible for keeping your customer data safe, even if you outsource processing to another party. Incorporate the third-party into your risk assessment so you aren’t blind sided, and assign control objectives to them so you can govern how they handle your data.
Use compliance to keep the pressure on and drive continuous improvement. Regular compliance audits ensure that you evaluate where you are on a periodic basis, which helps keep the momentum behind improvement activities - establish some kind of forced cadence to get the same effect in your organisation.