This ongoing visual representation of risk helped security show results to management. After the new three-tier system was implemented, the company witnessed a significant increase in malware infections in servers located in some regions of the world where they did business, said Jones. Over several months, the company upgraded many of the affected servers. The analytical charts were able to show the decreasing infection levels and the overall lowering of corporate risk, he says. These graphs could be shown to managers, many of whom were familiar with the charts and the tier system.
Another major difference between the old framework and the new one has been the executive approval process, said Jones. Compared to the old system, many more executives who work in risk-related areas are now involved in the process of approving decisions.
The new system also involves a more tiered system of approval, depending on the level of risk. In any decision involving PII, for example, the head of the relevant business unit must give approval. For tier-three risk involving PII, however, signatures are required from senior executives, including the company’s chief information officer and chief security officer, the organization’s privacy officer, a corporate director, and Jones as well as the relevant business unit head. The multitude of signatures is based largely on the overall financial risks involved, he said. The tiered system of authorization also helps reduce the company’s workload, because lower risk decisions can involve the approval of fewer people.
Jones said that in his experience, many organizations are able to measure certain types of risk, but few have a framework geared towards assessing risk in the context of overall business objectives. “One thing you need to ask yourself is if you currently have a standard way to manage risk,” he said.
Companies without a comprehensive framework might want to “start small.” Developing a holistic, bottom-up system, he said, can sometimes evolve into a solution more tailored to a company’s unique business needs.