This page contains a Flash digital edition of a book.
13





Once the threats are understood, the next key step is to recognize the risk appetite of your firm


Security - do you stop spending?


is to recognize the risk appetite of your firm. Risk appetite is a somewhat intangible element, however it is important that the security professional instinctively understands the risk tolerance for that particular firm. Documenting the risk appetite and building the risk management process around it can be hugely valuable to an information security team; such an activity drives a greater level of participation from business staff and ensures that information security can no longer remain just an IT issue. Although this degree of business involvement may be new for some firms, no CEO can have failed to notice the ever increasing press coverage of cyber threats and information and technology risks, as such, you may be surprised at how keen the business staff will be to contribute. Effectiveness can only be described if the controls that are in place are scrutinized and measured. To this end, it is important to have the capacity to undertake IT audits from within the IT Security team. The increasing complexity of technology solutions means that the auditors role is becoming more and more challenging, however even with just a partial resource


allocated to IT audit, there is great value that can be added.


It is vital that your information security programme does not become a 'money pit' to the organisation, this baseline of recognized threats, defined risk appetite and audit capability enables the security professional to understand the developing risk profile within their firm and be able to target where they may best expend their efforts, resources and money to support the business. Only at this point can discussions about the effectiveness and value for money provided by your security policy start to have any real meaning.


The discussion at Infosec will consider how to help you ensure that your security controls are both effective and appropriate.


Andrew Rose


Global IT Risk Manager Clifford Chance LLP


Andrew will speak on the Keynote panel: The Effectiveness Of Information Security – When Do You Stop Spending on Tuesday 19th April at 11.15





Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43