4 Reasons Why IT Security Needs Risk Management
Risk management ties infosec to the rest of the enterprise
If IT security departments want to truly meet the risks posed by today's advanced threats, they need to get more scientific with how they develop their strategies. Because based on the breach statistics and malware infection rates, the old methods aren't even close to adequate, security experts warn.
[Empower your users to stop big breaches. See When Will End Users Stop Being Fooled By Online Scams?. ]
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- Optimize Your SQL Environment for Performance & Flexibility
"Traditional IT security has what I think of as a Sisyphus complex," says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. "Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill."
According to Goerlich and many of his peers, if security organizations are to evolve past that daily toil and affect meaningful change on their respective businesses, they need to embed risk management principles in their decision-making framework. Here are some of the reasons why these experts believe risk management is a must.
Helps Prioritize The Deluge
With too few infosec professionals and too many systems to cover, the traditional boulder-rolling approach makes it difficult to prioritize what rocks to push up the hill first, Goerlich says.
"Moreover, rolling the boulder isn’t the goal of security, but rather the goal is securing the ability of the organization to accomplish its mission," he says. "Risk management is an important technique that focuses security efforts on the organization’s mission and prioritizes efforts on critical systems."
Risk analysis and management based on that analysis makes it possible to do more with less, says Jon Callas, CTO of Entrust.
"By analyzing which threats have which resources allocated to them, combined with measuring the consequences of any type of security failure, you can better understand what you are doing and why you are doing it," he says.
Translates Security Into Language Of Business
According to Conrad Constantine, research engineer at AlienVault, risk management is what ties information security to the rest of the enterprise.
"Security without risk management behind it is an intellectual exercise carried out at the expense of the company," he says.
Rather than sending infosec employees on wild goose chases to defend against the scariest sounding threats, risk management takes a dollars-and-cents approach that grounds IT back to the reality of what it is trying to do—protect the organization's investment in information systems.
"Would you spend $2000 to protect something that is worth $2000? It wouldn't make sense, right? Well, without risk assessment, you can't evaluate your risk and hence you can't evaluate what you should be spending," says Pierluigi Stella, CTO, Network Box USA. "Proper risk management is important to understand even just how much to spend. What are you protecting? What is it worth to you? What will the consequences be to your company if you lose that information or if it falls in the wrong hands? Assess it, and then manage it."
According to Bryan Fite of BT Global Services, risk management is a little bit of a misnomer.
"It should be called Risk & Reward management, because that's how business decisions are made. To get your seat at the table, you must speak in terms the business understands which is money," says Fite, BT Assure Portfolio Manager, U.S. & Canada, BT Global Services. "By adopting a normalized and accepted language, the security professional can commutate more effectively with those who control the budgets and dictate policy.
Drops Security Fixation On Technology
By re-centering the conversation on business priorities, risk management naturally expands IT security's horizons beyond the technology, an effect that can go a long way towards improving the organization's defensive success rate.
"Simply having security technology is not enough," says Jody Brazil, president and CTO of FireMon. "If the technology is not effectively configured, it will fail to provide the intended security. Risk management evaluates the effectiveness of the technology, as well as the people and processes managing that technology
Because as any reader of Kevin Mitnick will attest, security lapses are more often caused by broken processes and poor decisions made by people than by bad technology.
"Too many companies think of security as some hardware they can deploy, without realizing that they have no idea where their weak points are and they do not have proper processes and procedures to ensure that money they spent on technology comes to fruition," says Stella. "What good is a shredder if my employees photocopy someone's SSN card and then throw that copy in the trash?"
Inserts IT Security In Business' Big Picture
Perhaps most importantly, risk management practices insert IT security into the business' big picture, contextualizing activities with how they affect the ability of the business to continue to innovate and thrive.
"Too many companies view security as something that belongs only to the IT department whereas risk assessment and management is a business process and belongs to all the business units," Stella says. "Proper risk management is done when IT is only the project manager but every single business unit contributes its own knowledge to the process; and this needs to start from the top, from the C levels."
But this may well be why IT risk management is such a non-starter at many organizations, he says.
"C levels are too busy to bother; business units don't understand the importance of their involvement; and IT is left alone to fight the battle for everyone," he says. "So what's the IT dept to do? They buy a piece of technology and declare done. But the issues were not really resolved because no one did a true and thorough risk assessment, so later there is nothing to be managed."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.