Global enterprises must oversee scores of third-party suppliers, many of whom have access to customers, sensitive data and critical technology. The weakest link within that global supply chain represents a potential significant threat to the overall business. As such, effective governance that provides end-to-end visibility across the entire chain is essential to a viable and effective cyber security strategy.
Executives seeking to implement an effective strategy, meanwhile, face the challenge of responding to a dynamic threat landscape that is constantly evolving. This means that they must be ever-vigilant, responsive and adaptive to new threats. The problem, however, is that many organizations conduct security audits on an annual or regularly scheduled basis. This approach can create a false sense of security and convince executives that “we’re doing all the right things.” More specifically, it can result in serious new risks being ignored because reviewing new threats isn’t on the schedule.
A more effective approach to responding to constantly changing risks is through a “threshold map” model that establishes a mechanism that monitors and evaluates risk on an ongoing basis. Any change that results in the risk threshold being crossed triggers a reassessment of the organization’s security posture. Tailored to different business units and operational towers, the threshold map defines specific criteria that, when met, require a reassessment of an organization’s security posture.
Under this approach, an organization might require a security assessment on a monthly basis, or every two months, or every two years. By basing the assessment on changes in the risk environment rather than on an arbitrary schedule, threshold mapping facilitates responsiveness to new threats and drives continuous improvement.
About the authorPeter Iannone specializes in helping major corporations evaluate, implement and optimize IT and business process outsourcing arrangements. His clients include major banks, insurance companies, asset management firms and other financial institutions.
