The report highlights key challenges, upgraded techniques and actionable recommendations that can be used to plan and build new processes to help organizations gain business advantage and more effectively manage cyber risks.
Business groups within organizations are taking greater ownership of information risk management; however outdated security processes are hindering business innovation and make it difficult to combat new cybersecurity risks.
The Council offers guidance calling for information security teams to collaborate more closely with functional business groups to establish new systems and processes to help identify, evaluate, and track cyber risks faster and with greater accuracy.
The report spotlights areas ripe for security process improvement including risk measurement, business engagement, control assessments, third-party risk assessments, and threat detection. The Council also offers five recommendations for how to move information security programs forward to help business groups exploit risk for competitive advantage:
Shift Focus from Technical Assets to Critical Business Processes - Expand beyond a technical, myopic view of protecting information assets and get a broader picture of how the business uses information by working with business units to document critical business processes.
Institute Business Estimates of Cybersecurity Risks - Describe cybersecurity risks in hard-hitting, quantified business terms and integrate these business impact estimates into the risk-advisory process.
Establish Business-centric Risk Assessments - Adopt automated tools for tracking information risks so business units can take an active hand in identifying danger and mitigating risks and thus assume greater responsibility for security.
Set a Course for Evidence-based Controls Assurance - Develop and document capabilities to amass data that proves the efficacy of controls on a continuous basis.
Develop Informed Data Collection Techniques - Set a course for data architecture that can enhance visibility and enrich analytics. Consider the types of questions data analytics can answer in order to identify relevant sources of data.
Art Coviello, Executive Vice President, EMC, Executive Chairman, RSA, The Security Division of EMC, said: "For the enterprise to successfully innovate in today's digital world, security teams must re-evaluate cyber risk management efforts, steering away from reactive, perimeter-based approaches that are inflexible and focus instead on proactive collaboration with the business. Updated processes as described by the Council can help organizations achieve a greater visibility of risk that can be harnessed to benefit the business."