Risk

7/16/2012
07:31 AM
50%
50%

4 Reasons Why IT Security Needs Risk Management

Risk management ties infosec to the rest of the enterprise

If IT security departments want to truly meet the risks posed by today's advanced threats, they need to get more scientific with how they develop their strategies. Because based on the breach statistics and malware infection rates, the old methods aren't even close to adequate, security experts warn.

[Empower your users to stop big breaches. See When Will End Users Stop Being Fooled By Online Scams?. ]

"Traditional IT security has what I think of as a Sisyphus complex," says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. "Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill."

According to Goerlich and many of his peers, if security organizations are to evolve past that daily toil and affect meaningful change on their respective businesses, they need to embed risk management principles in their decision-making framework. Here are some of the reasons why these experts believe risk management is a must.

Helps Prioritize The Deluge
With too few infosec professionals and too many systems to cover, the traditional boulder-rolling approach makes it difficult to prioritize what rocks to push up the hill first, Goerlich says.

"Moreover, rolling the boulder isn’t the goal of security, but rather the goal is securing the ability of the organization to accomplish its mission," he says. "Risk management is an important technique that focuses security efforts on the organization’s mission and prioritizes efforts on critical systems."

Risk analysis and management based on that analysis makes it possible to do more with less, says Jon Callas, CTO of Entrust.

"By analyzing which threats have which resources allocated to them, combined with measuring the consequences of any type of security failure, you can better understand what you are doing and why you are doing it," he says.

Translates Security Into Language Of Business
According to Conrad Constantine, research engineer at AlienVault, risk management is what ties information security to the rest of the enterprise.

"Security without risk management behind it is an intellectual exercise carried out at the expense of the company," he says.

Rather than sending infosec employees on wild goose chases to defend against the scariest sounding threats, risk management takes a dollars-and-cents approach that grounds IT back to the reality of what it is trying to do—protect the organization's investment in information systems.

"Would you spend $2000 to protect something that is worth $2000? It wouldn't make sense, right? Well, without risk assessment, you can't evaluate your risk and hence you can't evaluate what you should be spending," says Pierluigi Stella, CTO, Network Box USA. "Proper risk management is important to understand even just how much to spend. What are you protecting? What is it worth to you? What will the consequences be to your company if you lose that information or if it falls in the wrong hands? Assess it, and then manage it."

According to Bryan Fite of BT Global Services, risk management is a little bit of a misnomer.

"It should be called Risk & Reward management, because that's how business decisions are made. To get your seat at the table, you must speak in terms the business understands which is money," says Fite, BT Assure Portfolio Manager, U.S. & Canada, BT Global Services. "By adopting a normalized and accepted language, the security professional can commutate more effectively with those who control the budgets and dictate policy.

Drops Security Fixation On Technology
By re-centering the conversation on business priorities, risk management naturally expands IT security's horizons beyond the technology, an effect that can go a long way towards improving the organization's defensive success rate.

"Simply having security technology is not enough," says Jody Brazil, president and CTO of FireMon. "If the technology is not effectively configured, it will fail to provide the intended security. Risk management evaluates the effectiveness of the technology, as well as the people and processes managing that technology

Because as any reader of Kevin Mitnick will attest, security lapses are more often caused by broken processes and poor decisions made by people than by bad technology.

"Too many companies think of security as some hardware they can deploy, without realizing that they have no idea where their weak points are and they do not have proper processes and procedures to ensure that money they spent on technology comes to fruition," says Stella. "What good is a shredder if my employees photocopy someone's SSN card and then throw that copy in the trash?"

Inserts IT Security In Business' Big Picture
Perhaps most importantly, risk management practices insert IT security into the business' big picture, contextualizing activities with how they affect the ability of the business to continue to innovate and thrive.

"Too many companies view security as something that belongs only to the IT department whereas risk assessment and management is a business process and belongs to all the business units," Stella says. "Proper risk management is done when IT is only the project manager but every single business unit contributes its own knowledge to the process; and this needs to start from the top, from the C levels."

But this may well be why IT risk management is such a non-starter at many organizations, he says.

"C levels are too busy to bother; business units don't understand the importance of their involvement; and IT is left alone to fight the battle for everyone," he says. "So what's the IT dept to do? They buy a piece of technology and declare done. But the issues were not really resolved because no one did a true and thorough risk assessment, so later there is nothing to be managed."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
AI in Cybersecurity: Where We Stand & Where We Need to Go
Raffael Marty, VP Security Analytics, Sophos,  1/11/2018
What Can We Learn from Counterterrorism and National Security Efforts?
Adi Dar, Chief Executive Officer of Cyberbit,  1/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.