Executive summary
A radical approach that takes a broad but risk-focused view across the IT estate and facilitates quick and easy deployment of real-world risk mitigation activities.
Public and private sector organisations are implementing large-scale information assurance programmes which seek to understand the risks to their information assets and put in place appropriate controls to manage them. However, the traditional approach is not fit for purpose in today’s complex, high-risk and cashconstrained operating environment, typically generating a mountain of paperwork that is almost impossible to convert into practical, real-world risk mitigation measures.
Moreover, while information assurance is challenging enough in a relatively benign, steadystate operating environment, organisations are now exposed to significant new risks from organised and motivated cyber threats. With a perception of ‘too little for too much’, organisations are in danger of turning away from their information assurance programmes just when they need them the most.
Given today’s challenging operating environment, the traditional ‘fat’ approach needs to be streamlined. In this paper we present ‘lean information assurance’ (Lean IA), a radical approach that takes a broad but risk-focused view across the IT estate and facilitates quick and easy deployment of real-world risk mitigation activities. Rather than pumping time and money into generating a paper mountain, Lean IA enables organisations to apply
effort in a balanced manner that is commensurate to the risks to which they are exposed.
Managing risks in challenging times
Public and private sector organisations are coming under increasing pressure to protect critical information relating to their employees, customers and partners. To maintain high levels of trust and assurance they are implementing large-scale information assurance programmes. These seek to map out the information that is held across the IT estate, understand the risks to which it is exposed and put in place appropriate controls to manage these risks without compromising information sharing and exploitation.
However, it is fast becoming clear that the traditional information assurance approach, still driven by an academic perception of ‘good practice’, is not fit for purpose in today’s complex, high-risk and cash-constrained operating environment. All too often information assurance programmes end up as bloated, labourintensive exercises that seek to measure and document compliance to such a high degree of detail that the end result is a mountain of analytical paperwork. Converting this into practical, real-world measures to actually mitigate the risks is almost impossible to do – assuming that these measures are even justified in the first place.
