• Risk impact awareness – Perform business impact analysis systematically on all categories of risk with subject matter experts

• Effective risk communication – Ensure that risk metrics and treatment plan recommendations reach risk owners in a timely and unbiased manner directly from risk analysis experts

• Formally integrate information and technology governance with risk management – that would ensure metrics as lag indicators (achievement of goals) and lead indicators (application of practice)

• Develop tools and processes to search for unexpected information security events (use analytics on as much data as feasible)

• Perform descriptive and/or predictive data mining to reduce risk uncertainty

• Shift focus to end-points where information is created, stored, processed and consumed

• Identify location of your most critical information and monitor in near-real time

• Focus on quality of software implementation

• Engage data owners in ISMS process (InfoSec role is broker between data owners and data custodians)

 – Information classification
 – Risk analysis and awareness
 – Security assessment and audit
 – Incident management and reporting

• Develop Risk Intelligence taking into account all risk components

 – Vulnerabilities – Standard enumeration exists(CVE)
 – Impact – Simpler to quantify in monetary units
 – Threats – Only technical threats are comparable
 – Monitor Key Risk Indexes (KRX) when above 3 risk components
are comparable as weighted averages of incident occurrence - And likelihoods, or even probabilities?

Presentation slides: Optimizing ISMS: Focus on risk management