Risk
7/16/2012
07:31 AM
50%
50%

4 Reasons Why IT Security Needs Risk Management

Risk management ties infosec to the rest of the enterprise

If IT security departments want to truly meet the risks posed by today's advanced threats, they need to get more scientific with how they develop their strategies. Because based on the breach statistics and malware infection rates, the old methods aren't even close to adequate, security experts warn.

[Empower your users to stop big breaches. See When Will End Users Stop Being Fooled By Online Scams?. ]

"Traditional IT security has what I think of as a Sisyphus complex," says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. "Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill."

According to Goerlich and many of his peers, if security organizations are to evolve past that daily toil and affect meaningful change on their respective businesses, they need to embed risk management principles in their decision-making framework. Here are some of the reasons why these experts believe risk management is a must.

Helps Prioritize The Deluge
With too few infosec professionals and too many systems to cover, the traditional boulder-rolling approach makes it difficult to prioritize what rocks to push up the hill first, Goerlich says.

"Moreover, rolling the boulder isn’t the goal of security, but rather the goal is securing the ability of the organization to accomplish its mission," he says. "Risk management is an important technique that focuses security efforts on the organization’s mission and prioritizes efforts on critical systems."

Risk analysis and management based on that analysis makes it possible to do more with less, says Jon Callas, CTO of Entrust.

"By analyzing which threats have which resources allocated to them, combined with measuring the consequences of any type of security failure, you can better understand what you are doing and why you are doing it," he says.

Translates Security Into Language Of Business
According to Conrad Constantine, research engineer at AlienVault, risk management is what ties information security to the rest of the enterprise.

"Security without risk management behind it is an intellectual exercise carried out at the expense of the company," he says.

Rather than sending infosec employees on wild goose chases to defend against the scariest sounding threats, risk management takes a dollars-and-cents approach that grounds IT back to the reality of what it is trying to do—protect the organization's investment in information systems.

"Would you spend $2000 to protect something that is worth $2000? It wouldn't make sense, right? Well, without risk assessment, you can't evaluate your risk and hence you can't evaluate what you should be spending," says Pierluigi Stella, CTO, Network Box USA. "Proper risk management is important to understand even just how much to spend. What are you protecting? What is it worth to you? What will the consequences be to your company if you lose that information or if it falls in the wrong hands? Assess it, and then manage it."

According to Bryan Fite of BT Global Services, risk management is a little bit of a misnomer.

"It should be called Risk & Reward management, because that's how business decisions are made. To get your seat at the table, you must speak in terms the business understands which is money," says Fite, BT Assure Portfolio Manager, U.S. & Canada, BT Global Services. "By adopting a normalized and accepted language, the security professional can commutate more effectively with those who control the budgets and dictate policy.

Drops Security Fixation On Technology
By re-centering the conversation on business priorities, risk management naturally expands IT security's horizons beyond the technology, an effect that can go a long way towards improving the organization's defensive success rate.

"Simply having security technology is not enough," says Jody Brazil, president and CTO of FireMon. "If the technology is not effectively configured, it will fail to provide the intended security. Risk management evaluates the effectiveness of the technology, as well as the people and processes managing that technology

Because as any reader of Kevin Mitnick will attest, security lapses are more often caused by broken processes and poor decisions made by people than by bad technology.

"Too many companies think of security as some hardware they can deploy, without realizing that they have no idea where their weak points are and they do not have proper processes and procedures to ensure that money they spent on technology comes to fruition," says Stella. "What good is a shredder if my employees photocopy someone's SSN card and then throw that copy in the trash?"

Inserts IT Security In Business' Big Picture
Perhaps most importantly, risk management practices insert IT security into the business' big picture, contextualizing activities with how they affect the ability of the business to continue to innovate and thrive.

"Too many companies view security as something that belongs only to the IT department whereas risk assessment and management is a business process and belongs to all the business units," Stella says. "Proper risk management is done when IT is only the project manager but every single business unit contributes its own knowledge to the process; and this needs to start from the top, from the C levels."

But this may well be why IT risk management is such a non-starter at many organizations, he says.

"C levels are too busy to bother; business units don't understand the importance of their involvement; and IT is left alone to fight the battle for everyone," he says. "So what's the IT dept to do? They buy a piece of technology and declare done. But the issues were not really resolved because no one did a true and thorough risk assessment, so later there is nothing to be managed."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.