News Risk Management

Monitoring And Reporting IT Security Risk In Your Organization

To implement a risk-based approach to security, you must be able to gauge and report risk. Here are some tips on how to do it right

Ed Moyle, Contributing Writer
Dark Reading
 March 21, 2013

[Excerpted from "Monitoring and Reporting IT Security Risk in Your Organization," a new report posted this week on Dark Reading's Risk Management Tech Center.]

One of the chief problems facing organizations serious about risk management is the fact that risk changes constantly. Risks increase, diminish or evolve in scope according to a number of factors, including technology changes, business changes, and organizational strategy and direction changes.

More Security Insights

White Papers
More >>
Reports
More >>
Webcasts
More >>

As changes come faster and faster because of increases in the pace of technical innovation and business agility, the overall level of risk for any organization rises. This puts organizations that want to approach risk systematically in a bit of a quandary -- specifically, how can changes to risk level be monitored and reflected in future practices and defenses? What risk monitoring and reporting techniques are timely enough to allow organizations to take action?

You need some way to hone your organization's security data into risk calculations -- to ensure that you're harvesting useful inputs, to ensure that you process input at an interval that makes sense and to ensure that you're reporting on it in a way that executives can use. This isn't always easy.

To start, it's useful to determine what metrics make the most sense in light of the risk assessment methodology you intend to use. To select the values that are most useful for this purpose, it's important to first understand the inputs to the risk management equation individually so you select values that are realistic indicators. You'll need to measure:

* Information about the assets that your organization may use to support the business

* Information about the threats that those assets may encounter in the context of how you will use them

* Vulnerabilities that the assets may have

* Cost and other impacts should these vulnerabilities be exploited

Each piece of information listed here is integral to understanding your overall risk. This means that you'll want to think through what you can evaluate to derive values (that are as meaningful as possible) for each one of these areas.

To get a list of possible metrics that your organization can use to measure risk -- and some ideas on how to report them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Related Reading

News

Commentary

Most Popular

On the Web

More On the Web»

Slideshow

Dark Reading Discussions

Start the Discussion


InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.