11:25 AM
Connect Directly

5 Views On Achieving Business ROI Through Risk Management

Bringing value to the business through effective risk management

Often viewed as the most effective groundwork laid for a truly successful security program, governance, risk, and compliance (GRC) activities within an enterprise will not only reduce risk, but also deliver business value through improved processes and better decision-making. Dark Reading recently caught up with five consulting practitioners around the industry to discuss their views on how organizations can both achieve ROI through risk management and demonstrate it to senior management.

Make Risk Management Holistic
According to Bryan Fite, BT Assure portfolio manager in the U.S. and Canada for BT Global Services, too many organizations today fail to manage risk in a holistic way.

"Rather, they maintain silos of risk management activity that often use completely different methodologies and tools to model and treat risk," he says. "Security operations, audit/compliance, and business [risk] -- think CFO and board of directors -- are the silos most seen in the wild."

This kind of structure might have worked in the old world, but that is not the case in the age of BYOD, cloud computing, and increased regulatory demands, Fite says.

"It does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk," he says. "To stay relevant and competitive, organizations need to develop a new capability. They need to develop the ability to measure and justify trust."

New business challenges require a new way of managing risk and reward, Fite says.

"By adopting common risk management metrics, innovative controls, and trust management techniques, CSOs and other security practitioners can survive and prosper in the age of cloud computing and shared services," he says. "This will allow for a holistic view of risk across the organization that ensures that limited budgets are allocated in the optimal way."

Don't Forget All Your Quantifiable Returns While Determining ROI
Determining the ROI of IT security is all about comparing potential costs to deploy defensive countermeasures against the perceived value of the resulting reduction of risk, says Joe Fisher, president of Affinity IT Security. While it is easy to quantify those countermeasures, the real trick is to measure all of the benefits.

"It is very easy to underestimate the benefits of an IT security initiative; many are intangible and difficult to estimate," he says. "This can be very challenging until you realize that the value of avoiding negative consequences is both real and quantifiable. In other words, the ROI calculation must recognize and account for the value of avoiding the full scope of economic damages can result from a breach."

Fisher says in order to get a true ROI calculation, there are six major breach cost areas that organizations need to account for avoiding: forensic analysis, remediation, prevention of future attacks, legal liability, brand and reputation damage, and stock price damage.

"The costs of each of these can be estimated, and should be aggregated to form a comprehensive assessment of potential damage," he says. "This can then be discounted by the likelihood of the breach occurring to arrive at a risk adjusted damage estimate."

Typically, the resulting financial benefits dwarf the costs, making for a strong numerical case for risk management investment.

In most cases the resulting benefits dwarf the costs, making the business case for IT security a very strong one.

Match Risk Management To Business Performance Objectives
As organizations think about achieving ROI from security spend, they need to remember that the returns are very different for compliance and for risk management," says Brian Barnier, principal of ValueBridge Advisors. For compliance, cost benefits usually occur due to waste-trimming in processes, whereas risk management brings value to business decision-making processes.

"Risk management tools that make the true state of risks and returns more visible and help make better decisions more quickly naturally bring huge payoffs," Barnier says. "For example, how quickly can an IT system be reconfigured to support a new product, customer, or partner? If not fast enough, take action to change IT to easily enable profitable revenue."

He believes that the truly world-class organizations are the ones that are able to set up their decision-making through a repeatable, standardized framework, such as COBiT or ITIL.

"In this way, risk management always returns a multiple of value by focusing on growing profitable revenue," he says.

Next Page: Consistency is key.

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.