This is the third part of a multi-part series on security program design. The previous article highlighted the security design process at a fairly high level. This iteration dives deeper into the functional groups that are owners of security risk and are, therefore, key partners for Security.
As stated in the security design process, people from functional groups that own security risk should be involved in the design of the security program. In all actuality, however, security risk owners from across the organization will be key partners with Security on an ongoing and collaborative basis. The level of collaboration between Security and the risk owners is vital, so these relationships need to be deep enough to allow for mutual sharing of the who/what/when/where/how/why of security risks and security risk management. This will help Security know more about how to enable the security risk owner to manage their people, processes and technologies most effectively in the management of the risks that are present.
How are security risk owners identified? The primary means of identifying and documenting the owners of security risk is a formal risk assessment. One of the outputs of a risk assessment will be a list of business processes where security risk exists. This will help Security ensure that all stakeholder groups have been identified and, subsequently, will help ensure that all security risks have been documented.
Who are the security risk owners? These groups will vary by organization, but the risk assessment process commonly identifies Human Resources, Accounting, Finance, Supply Chain, Information Technology, Enterprise Risk Management and, where applicable, Tours/Groups/Event Management, as well as both Cyber/Information Security and Physical Security. There will likely be additional groups that are called out by the risk assessment.
In addition to the security risks that are presented through various internal groups, the risk assessment process will help document where potential external risks exist through business partners, suppliers and other groups that the company interacts with. This may be risk that is present in system integrations between the two companies (Ie., product ordering systems, technical support systems or other remote access that a service provider might have), processes in which work is executed externally or myriad other potential examples.
Note: Relationships with external groups like Law Enforcement, Regulatory, etc., need to be pursued as a key component of the security risk management strategy. Depending on the scope of the effort, these external groups may or may not be identified in the results of the risk assessment.
The role of Security is to enable the enterprise to manage security risk. As such, the security risk owner is a critical touchpoint within the respective company for Security. These are the people that Security will enable through education, consultation, coaching and mentoring to manage security risk. In turn, these folks will report the status of security risk at the enterprise level – keeping risk transparent and leadership informed.