Forging a Risk-Based Security Strategy

What’s the Difference Between Business Risk and IT Risk?

Having a security strategy and aligning it with business risks are part of a new approach to security that’s in sharp contrast to how security has been handled in the past.

One of our clients, Boston Medical Center (BMC), learned this first-hand as they fought for more funding around forging a risk-based security strategy.

For BMC, security spending amounted to only 1 to 2 percent of their overall IT budget, which made it near impossible to maintain programs at scale and address all the threats now facing healthcare organizations. Instead of simply looking at regulatory compliance, BMC took an approach that considered their business risks.

Implementing SANS’ 20 Critical Security Controls was part of this process and helped BMC assess the organization’s defenses against each control area. After evaluating where security holes existed in relation to their organization’s risk profile, they addressed the following questions:

1. Can we do it?
2. Can we mitigate it?
3. Can we afford to do it?And if we can’t afford it, can we deal with the repercussions?

IT risks are not the same as business risks, and communication between the two job functions was critical for BMC to align IT security strategy with the organization’s business risks. They forged strategic relationships with the emergency management department and the business audit committee, two groups that fully understand the critical processes and functions that make the organization function at its basic levels. Understanding the business risks, being able to identify where gaps occur in relation to SANS controls, and being able to articulate how products or processes are vital to the company’s operations made it much easier for BMC to land the funding they needed.

Are you in a similar boat, struggling to prove the necessity of a risk-based security strategy at your company? DynTek can help you get everyone on the same page as well as ensure more funding is committed to risk assessment and prevention. Download the latest publication of Security Insights to read more about BMC and also get a better sense of where your company stands against cybersecurity threats.