We Can Do Better At Controlling For Risk Today As Well As Tomorrow

The following is taken from an address given by Cylance Chief Security & Trust Officer Malcolm Harkins to the United States Senate in March 2017. We believe it’s important enough to share with the public and start a dialogue so that we can band together to find the solutions we so clearly need, in order to secure our vastly-changing future.

Part 1 of this series can be found here. Part 2 is here.

Control Frameworks That Add Value

I have said for years that the core of business-driven security and the mission of the information risk and security team is “Protect to Enable.” When you are protecting to enable people, data, and the business, you are proactively engaged upfront and aligned with the business on the evaluation of how to achieve the business objective, while best optimizing your controls.

I achieve that through my “9 Box of Controls” approach. Let me explain my perspective on controls. My perspective is rooted in my experiences as a business leader and in my many years in Finance, including my role as a profit and loss manager for a billion-dollar business unit in the late 90s. It is a control philosophy that I have carried forward in my roles in security, but one that I believe is lacking in the industry.

An important aspect of this perspective is the concept of control friction. I’ve developed a simple framework called the 9 Box of Controls, which takes the issue of control friction into account when assessing the value, as well as the impact of any control, including information security. I believe that the 9 Box of Controls includes some actionable perspective that may be valuable to many organizations facing these universal risk challenges.

My conversations with peers at other companies have (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Malcolm Harkins. Read the original post at: Cylance Blog