Information Risk Management's Biggest ChallengeGetting Buy-In From Organization's Top Leaders
The biggest challenges to get organizations to successfully implement an information risk management program is to get buy-in from the organization's senior-most, non-technology leaders, NIST Senior Fellow Ron Ross says.
That's because all organizations are highly dependent on information systems to achieve their goals, says Ross, who leads the National Institute of Standards and Technology's information risk management efforts.
[Also watch the video Ron Ross on Revised Security Controls.]
"When the senior leaders understand that connection, then they're willing to go forward and do what it takes to help protect their information assets," Ross says. "If that connection is not made, then it's very difficult for the folks downstream to do the right thing."
Once senior leaders commit to an information risk management process, the organization identifies its most critical missions and determines the processes needed to achieve them. Then, they develop the appropriate enterprise architecture to operate and carry out their missions. "It's a complicated process, but it's also structured and disciplined," Ross says. "Getting that top level support is the first step to making everything else happen."
In the interview, conducted at the recent RSA Conference 2012, Ross:
- Clarifies the difference between information risk management with information security.
- Discusses synergies between information risk management and other types of risk management.
- Explains how information risk management can help organizations that face budget constraints.
Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.=