@ISACA Volume 24  28 November 2018

Five Key Components of a Defensible Information Risk and Security Program


A defensible approach to information risk and security ensures that an organization can justify its strategy, actions, approach and security posture to interested and required parties. Defensibility aligns with the legal principal of due care. A recognized legal definition of due care that aligns with information risk and security programs is: “[Due care] refers to the level of judgment, care, prudence, determination and activity that a person or organization would reasonably be expected to do under particular circumstances.”

Adopting the principal of developing and maintaining a defensible approach to information risk and security that supports the principal of due care can often be a path to greater success for the professionals who are tasked with identifying information-related risk factors and ensuring they are properly managed. Expectations of improvements and enhancements regarding information risk management and security are continuously increasing. It is important for organizations to identify and recognize where these expectations exist and ensure their strategy and approach incorporates addressing them within a reasonable and expected timeframe.

Defensible does not always mean complete when it comes to the implementation of security-related capabilities. In many cases, an organization’s security-related capabilities can be defensible if they are able to demonstrate meaningful and material progress in their implementation and a strategy and roadmap that demonstrates how they will be able to complete the implementation and effectively sustain capabilities.

Risk and security leaders and professionals often struggle to find effective approaches to gain and maintain the support of the organizations they operate within for their efforts and activities. They often resort to methods such as fear, uncertainty and doubt; security by compliance; or heavy-handed policies and standards to progress toward their goals and achieve their objectives. These approaches can be perceived as negatives by stakeholders and constituents and, therefore, their requirements are not likely to be willingly embraced or adopted by these parties. By adjusting the approach and communications to promote the concept of defensible information risk and security, leaders and professionals who support these efforts are likely to find more success and support within their organizations. There are 5 key areas an organization should consider when developing and maintaining a defensible approach to information risk and security:

  1. Develop and maintain an information risk profile—An information risk profile provides a common and agreed-upon understanding between an organization’s information risk and security function and its leadership about the organization’s risk appetite. The information risk and security strategy should support the goals and objectives of the organization it supports in line with its risk appetite. Information risk profiles can be considered “pain charts” that information risk and security professionals use when interacting with organizational leadership to have a common communication tool. Together they can define the characteristics and conditions when information security events, incidents, controls and activities create material impacts to the organization’s ability to be successful or when risk exceeds acceptable tolerance levels. The end result will define the organization’s current information risk appetite.
    This level of understanding creates a framework that all portions of an organization’s information security posture should be able to be pressure tested against to ensure alignment with an organization’s risk management-based expectations and requirements. An organization’s information risk and security strategy should be able to demonstrate that it is managing the organization’s potential and realized pain occurring as a result of information security events, incidents and control requirements to a manageable level that is acceptable to the organization. If the organizational leadership ever questions the level of effort or cost required to implement and maintain the identified information security strategy or controls, the information risk and security professional can reference the mutually agreed upon information risk profile. This will allow them to work with their leadership to identify whether the organization would like to stay the course or recalibrate its threshold for pain to allow for more risk. This tactic directly supports the demonstration of defensible strategy.
  2. Conduct threat and vulnerability analysis of key business processes—A threat and vulnerability analysis is an activity that models a particular solution or business process against attack scenarios and known vulnerabilities to evaluate its resiliency or capability to repel or survive attacks. It utilizes intelligence capabilities such as technical knowledge, behavioral science and business logic to model attack scenarios, the likelihood of such attacks and the potential business impact if the attack were successful. By using data-driven and evidence-based threat and vulnerability analysis, the credibility and defensibility of the organization’s information risk and security approach and capabilities will significantly increase.
    The use of threat and vulnerability analysis supports the concept of defensibility by demonstrating an organization’s rationale for implementing specific security measures or accepting risk based on specific threats and/or vulnerabilities of which it is aware. Even if a dissenter disagrees with the results of the analysis, an organization can still demonstrate that it made a reasonable effort to identify its threats and vulnerabilities of material concern and made informed decisions about them.
  3. Develop and monitor risk treatment plans for information risk management—The documentation and monitoring of corrective action plans for risk remediation provides evidence of an organization’s intent and progress in managing or remediating identified information-related risk. Risk treatment plans should include specific details of actions that will or will not be taken, accountable parties and required resources, requirements for success, timelines and milestones, and key performance indicators that can be used to evaluate the effectiveness of the plans. These plans support defensibility by providing evidence of conscious choices by an organization to address identified risk in what it believes is a reasonable and appropriate fashion.
  4. Trust but verify—ensure security controls are working as intended—Security instrumentation tools can assist an organization in the assessment of the effectiveness of its technical security controls. These tools continuously simulate known or expected attack behaviors and activities against technical security controls. The results of this testing provides valuable intelligence to the organization and assist it in answering control-effectiveness questions such as what portions of the attack can its existing security controls identify and block? What information would be generated by attacks by its detective security controls and capabilities? How effective are the organization’s security event and incident response processes and capabilities in defending against probable and realistic attack scenarios?
    The answers to these questions support the organization’s defensibility by demonstrating that it is validating its assumptions of protection and control effectiveness instead of trusting without reasonable assurance.
  5. Review materials and capabilities with trusted third parties—Using trusted advisors or independent third parties to evaluate and validate the reasonability of an organization’s information risk management approach and capabilities appreciably increases it defensibility. If a trusted advisor or independent assessor concludes and validates that an organization’s approach and capabilities are reasonable and sound, an organization can support its position that it is providing due care with regard to its information risk and security approach and capabilities.
    When possible, it is suggested that these reviews, assessments and/or opinions should align with recognized risk and security standards, such as the International Organization for Standardization (ISO) 27000 series, US National Institute of Standards and Technology (NIST) Common Security Framework (CSF), or documented and accepted current industry-leading practices. The use of these standards will help support the credibility of these reviews.

Adopting the concept of defensibility to demonstrate reasonable and appropriate approaches to information risk management and security introduces a pragmatic approach that is likely to be embraced and respected by constituents, stakeholders and interested parties. Defensible does not mean perfect. Instead, it promotes the idea that an organization can represent that its approach is justified, reasonable and has objective evidence to support this position. 

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. 

Virtual Summit—IT Risk Management


Source: Dssart studio;
Getty Images

Risk management is an integral part of business for large and small organizations alike. Attending ISACA’s free, half-day risk management virtual summit will provide new guidance and help you advance your understanding of your current and future career in IT risk management. In the Virtual Summit—IT Risk Management, explore how to identify challenges and formulate solutions for both managing and mitigating IT risk and compliance issues within organizations of a variety of sizes and industries. Attendees will have opportunities to connect with peers around the world and gain insight on IT management best practices. Those who attend will also be able to:

  • Attend 3 live expert-led presentations
  • Engage with a panel of top professionals in roundtable discussions centered on IT risk management
  • Earn up to 4 free continuing professional education (CPE) hours.

ISACA, Adobe, ACL and BitSight will present the Virtual Summit—IT Risk Management. The event takes place on 12 December at 9AM CST (UTC -6 hours), and ISACA members can earn CPE hours by attending the summit.

To learn more about this event or to register for it, visit the Virtual Summit—IT Risk Management page of the ISACA website.


Share Your Cybersecurity Knowledge and Experience in The Nexus


Source: Victor Habbick
Visions; Getty Images

Security professionals share original thought leadership and knowledge in The Nexus, the free Cybersecurity Nexus™ (CSX) monthly newsletter where all things cybersecurity converge. The Nexus delivers news, CSX updates and the best cybersecurity-related articles from around the web all in one convenient monthly newsletter.

The Nexus is currently looking for security experts to contribute original articles to consider for publication. Why not contribute an article and share your security experience with the wider cybercommunity?

Submitting an article is a fairly flexible process intended to accommodate the needs and preferences of you and your enterprise. Authors earn continuing professional education (CPE) hours for articles that are accepted for publication. For more information, contact mjasper@isaca.org.

Want to read more cybersecurity news? Subscribe to The Nexus today.


Growing a Cybersecurity Career: Five Questions for the Next Job Interview


Growing your career largely depends on the environment in which you have placed it to grow. Philip Casesa’s take on positive career culture and the 5 questions to ask to ensure your next potential employer fits your expectations in his ISACA Journal, volume 6, article, “Growing a Cybersecurity Career: Five Questions for the Next Job Interview,” can help you grow and evolve your career.

Those who have owned a house plant have probably noticed that no matter where the plant is placed, it grows toward the strongest source of light—a phenomenon called "phototropism." Tropisms are defined as any growth in response to an environmental stimulus. They are found in nature in various forms, such as gravitropism (downward growth), hydrotropism (growth toward a water source) and aphototropism (growth away from a light source). Outside of the plant kingdom, the principles behind tropisms occur in places such as the economy, family life and the workplace.

Cybersecurity or IT professionals should seek out career opportunities that offer the right sorts of stimuli to enable their own growth. A positive corporate culture is one such stimulus. A well-rounded workforce development program is another. However, negative stimuli can be present as well trapping employees in situations that stifle growth, push coworkers away and drain the team of talent.

So, how do job candidates evaluate whether an organization has the right set of stimuli for their own development? There are a few critical questions to ask. How the employer answers should provide the insight needed to determine whether the job will support personal and professional goals or the organization has already put a ceiling on growth potential.

Those who lead a cybersecurity team may find these questions helpful in evaluating the opportunities their program provides their team members.

Read about the 5 questions to ask at your next job interview in Philip Casesa’s ISACA Journal article, “Growing a Cybersecurity Career: Five Questions for the Next Job Interview.”