Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

How to Address Enterprise-Shared Risk

By Jamie Miller
September 1, 2009

Organizations, both government and commercial, continue to increase in size and complexity, as well as in the way they derive value for their customers. As these organizations grow and mature, the departments and business units that comprise them increasing rely on supporting IT systems, networks and shared infrastructure to send and receive critical information. This reliance on shared and interconnected IT infrastructure, although necessary to help drive growth and to support the achievement of the overall mission, also introduces a new concern:  enterprise-shared risk.


Background

The concept of enterprise-shared risk is a concern for organizations that are relatively large and complex, or those that support a number of different business functions (i.e., value chains). These types of organizations are ultimately susceptible because they are comprised of numerous departments and business units that provide differentiated services. As a result, the organization’s different business units typically support distinct value chains and, more specifically, they have very different tolerance levels for risk acceptance (i.e., risk profiles).
     
For example, one business unit’s value chain might support academic research and development aimed at public dissemination, while another business unit’s value chain might be tied to selling and managing finance and investment portfolios. Because the two business units (although under the same umbrella organization) support distinct business requirements and needs, they have very different risk profiles. The risk profile for the business unit focused on academic research is most likely to be very low, as the business unit’s end goal is to distribute and share information and academic research to the public. As a result, this business unit would not focus on information security, nor would it want to allocate significant resources to the management and implementation of supporting information security controls. On the other hand, the risk profile for the business unit focused on finance and investment portfolio management would be much higher, as it is most likely to be very concerned about the protection of the confidential and private financial information that it handles. Logically, this business unit would stress the need for strong information security, and especially the need to employ effective information security controls on the network and IT systems that process the sensitive financial information.
     
There are numerous examples of when different business units, under the same larger organization or enterprise, support very different value chains and, consequently, have different risk profiles. Although this situation is common, the majority of organizations do not realize the potential negative impact a service delivery model being supported by shared IT infrastructure can have (and continues to have) on the ability of the organization to fulfill their overall mission effectively and efficiently.
     
The potential negative impact of different business unit’s managing unique risk profiles is illustrated when those business units leverage common IT infrastructure, or components of shared IT infrastructure. As a result, the funding, resources and energy spent by the business unit that has identified a need to manage to a higher risk profile are nullified. Through the “least-common-denominator” concept, a potential adversary levels the playing field by compromising the business unit with the lowest level of information security controls, and then traverses the network to ultimately compromise the business unit processing the targeted sensitive and confidential information. Under this scenario (illustrated in figure 1) nearly all of the efforts by the respective business units that managed to a higher risk profile (and who employ robust information security controls) are unable to stop the adversary from compromising their critical information. This scenario creates the potential for considerable cost and resource inefficiency affecting the entire enterprise.


Information Security Governance Framework

A proven approach to address enterprise-shared risk is to implement an information security governance framework that addresses the inherent business value of uniformly protecting information and information processes to a common baseline. Its key discriminator is that it focuses on the integration and coordination of information security activities across all component’s of an enterprise, with the goal of enabling the organization’s mission.
     
Executing an information security governance framework begins with the identification of the greatest information risks across the enterprise (with a focus on the identification of shared risks). Leveraging an “as-is” baselining assessment and an industry-specific benchmarking study (if desired), a tailored information security strategy, integrated with the overall organizational mission, can be generated for mitigating the identified risks. The resulting strategy identifies the key programmatic priorities and lays the foundation for the operational tempo of the business—all aligned under a clear policy and supported by a strong operational model. The framework enables executives and managers to make educated trade-off decisions, balancing the costs and benefits of pursuing a specific information risk posture.
     
There are five key components of a highly effective information security governance framework that every organization should address:
  1. As-is baselining. The as-is baselining study identifies the current state of information security for the organization. This study is designed to assess information security functions against a framework of applicable industry and compliance drivers. Additionally, it is designed to identify the strengths and weakness of how the organization currently addresses information security across the enterprise and includes both management and functional perspectives.
  2. Benchmarking. The benchmarking study provides a strong understanding of how information security functions were solved by similar organizations. This examination provides awareness of potential pit falls and proven strategies for avoiding them. The study also identifies possible efficiencies for implementing information security functions. Key to this exercise is the identification of best practices for how to address specific information security requirements and industry drivers.
  3. “To-be” information security strategy. The strategy leverages the results of the benchmarking and as-is baseline studies to formally establish the information security program vision, goals and objectives. Additionally, the strategy captures the organization’s overall information security value chain and process, along with a high-level road map for implementing the program and achieving the stated program goals and objectives.
  4. Information security operating model. The operating model identifies and formalizes the organizational structure for the information security program. It includes the identification of all key stakeholders, a determination of what role they should play in the overall program, as well as identification of where they sit within the larger program. Additionally, this structure includes an interaction model that illustrates how and when key stakeholders communicate, as well as the key management and functional processes and how they work.
  5. Information security policy. The policy identifies the specific organizational roles and responsibilities that support all information security activities, and captures the accepted information risk posture for the organization.    

 

 Implementing an information security governance framework is more than just building the individual components. These components must be developed and implemented in a coordinated manner with buy-in from senior leadership across the organization. The enterprise-wide accepted risk posture and baseline should set and drive all other information security and risk management activities.



Summary

An information security governance framework is a powerful, results-oriented, strategic approach to identify and address enterprise-shared risk. By building the necessary components with an integrated framework to address the shared risks to an organization, organizations can design a program with repeatable processes that lowers risk exposure to an acceptable baseline level. For organizations concerned with proactively managing risk in an uncertain, ever-changing threat environment, implementing an information security governance framework is a must.  

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jamie Miller is a senior director for a global strategy and technology consulting firm overseeing the development the firm’s information risk management methodology.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Unlock the future of cybersecurity news with Security.
As a leader in enterprise security, we have you covered with the information to keep you ahead of the curve.

JOIN TODAY

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber6-900px.jpg

    2018: Companies Will Make Major Enterprise-Wide Changes to Address Cyber Risk

    See More
  • Security Podcast- Welch.jpg

    Listen to Michael Welch and how to address fourth-party risks and improve supply chain security in our latest The Security Podcast episode

    See More
  • Shawn C. Clark

    How to Address International Incidents and Investigations

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!