07:31 AM

4 Reasons Why IT Security Needs Risk Management

Risk management ties infosec to the rest of the enterprise

If IT security departments want to truly meet the risks posed by today's advanced threats, they need to get more scientific with how they develop their strategies. Because based on the breach statistics and malware infection rates, the old methods aren't even close to adequate, security experts warn.

[Empower your users to stop big breaches. See When Will End Users Stop Being Fooled By Online Scams?. ]

"Traditional IT security has what I think of as a Sisyphus complex," says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. "Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill."

According to Goerlich and many of his peers, if security organizations are to evolve past that daily toil and affect meaningful change on their respective businesses, they need to embed risk management principles in their decision-making framework. Here are some of the reasons why these experts believe risk management is a must.

Helps Prioritize The Deluge
With too few infosec professionals and too many systems to cover, the traditional boulder-rolling approach makes it difficult to prioritize what rocks to push up the hill first, Goerlich says.

"Moreover, rolling the boulder isn’t the goal of security, but rather the goal is securing the ability of the organization to accomplish its mission," he says. "Risk management is an important technique that focuses security efforts on the organization’s mission and prioritizes efforts on critical systems."

Risk analysis and management based on that analysis makes it possible to do more with less, says Jon Callas, CTO of Entrust.

"By analyzing which threats have which resources allocated to them, combined with measuring the consequences of any type of security failure, you can better understand what you are doing and why you are doing it," he says.

Translates Security Into Language Of Business
According to Conrad Constantine, research engineer at AlienVault, risk management is what ties information security to the rest of the enterprise.

"Security without risk management behind it is an intellectual exercise carried out at the expense of the company," he says.

Rather than sending infosec employees on wild goose chases to defend against the scariest sounding threats, risk management takes a dollars-and-cents approach that grounds IT back to the reality of what it is trying to do—protect the organization's investment in information systems.

"Would you spend $2000 to protect something that is worth $2000? It wouldn't make sense, right? Well, without risk assessment, you can't evaluate your risk and hence you can't evaluate what you should be spending," says Pierluigi Stella, CTO, Network Box USA. "Proper risk management is important to understand even just how much to spend. What are you protecting? What is it worth to you? What will the consequences be to your company if you lose that information or if it falls in the wrong hands? Assess it, and then manage it."

According to Bryan Fite of BT Global Services, risk management is a little bit of a misnomer.

"It should be called Risk & Reward management, because that's how business decisions are made. To get your seat at the table, you must speak in terms the business understands which is money," says Fite, BT Assure Portfolio Manager, U.S. & Canada, BT Global Services. "By adopting a normalized and accepted language, the security professional can commutate more effectively with those who control the budgets and dictate policy.

Drops Security Fixation On Technology
By re-centering the conversation on business priorities, risk management naturally expands IT security's horizons beyond the technology, an effect that can go a long way towards improving the organization's defensive success rate.

"Simply having security technology is not enough," says Jody Brazil, president and CTO of FireMon. "If the technology is not effectively configured, it will fail to provide the intended security. Risk management evaluates the effectiveness of the technology, as well as the people and processes managing that technology

Because as any reader of Kevin Mitnick will attest, security lapses are more often caused by broken processes and poor decisions made by people than by bad technology.

"Too many companies think of security as some hardware they can deploy, without realizing that they have no idea where their weak points are and they do not have proper processes and procedures to ensure that money they spent on technology comes to fruition," says Stella. "What good is a shredder if my employees photocopy someone's SSN card and then throw that copy in the trash?"

Inserts IT Security In Business' Big Picture
Perhaps most importantly, risk management practices insert IT security into the business' big picture, contextualizing activities with how they affect the ability of the business to continue to innovate and thrive.

"Too many companies view security as something that belongs only to the IT department whereas risk assessment and management is a business process and belongs to all the business units," Stella says. "Proper risk management is done when IT is only the project manager but every single business unit contributes its own knowledge to the process; and this needs to start from the top, from the C levels."

But this may well be why IT risk management is such a non-starter at many organizations, he says.

"C levels are too busy to bother; business units don't understand the importance of their involvement; and IT is left alone to fight the battle for everyone," he says. "So what's the IT dept to do? They buy a piece of technology and declare done. But the issues were not really resolved because no one did a true and thorough risk assessment, so later there is nothing to be managed."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: " I think Google Doodle is getting a little out of control"
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.