So much to read, so little time - Top Information Security Risks for 2008

Now this is impressive! It's going to take a while to read the supporting reference documents, but this summary is gold and from my perspective a must read for IT Risk Management.

In the primary summary document, "Top Information Security Risks for 2008" we get an impressive laundry list of threats & vulnerabilities, their impacts, the risk and the controls. Page 5 talks of specific risks, some can be addressed with various technical control product on the market, example: #2 - Information Leakage. If you want to get down and dirty understanding these products spend some time with Rich over at securosis, specifically his blog entries and the summary which formed this white paper around understanding & selecting DLP solutions.

This section also highlights non-technical controls, audits etc in #5: "poor information security studies, risk assessments, projects/assignments and/or staffing/organization, causing failed, wasted, excessive or otherwise inadequate controls and practices selection, implementation, performance measurement, monitoring and/or auditing." Wow, that's a mouthful! But this is exactly what IT GRC is all about. Through using these software platforms you can evolve from poor, ad-hoc attempts at mitigating this risk while ensuring your enterprise takes a comprehensive, top-down look at any and all potential risks and assess their potential impact. If you then go down to #1 in the controls section of the document you will see what in my eyes is basically an advertisement for an IT GRC solutions and the process around deploying it, "investment in a good and systematic ISMS (Information Security Management System) incorporating high quality information assurance processes..."

A key statement back in #5 of risks that I was surprised to see was the calling out of "excessive" controls. This is something we at Securityworks (especially Bryan) are passionate about. Some vendors in the IT GRC space believe in throwing the entire "book of controls" at it, and you will be fine...we believe its about making sure you have quality controls in place, not simply quantity. Bryan has talked about this previously.