11:25 AM
Connect Directly
Repost This

5 Views On Achieving Business ROI Through Risk Management

Bringing value to the business through effective risk management

Often viewed as the most effective groundwork laid for a truly successful security program, governance, risk, and compliance (GRC) activities within an enterprise will not only reduce risk, but also deliver business value through improved processes and better decision-making. Dark Reading recently caught up with five consulting practitioners around the industry to discuss their views on how organizations can both achieve ROI through risk management and demonstrate it to senior management.

Make Risk Management Holistic
According to Bryan Fite, BT Assure portfolio manager in the U.S. and Canada for BT Global Services, too many organizations today fail to manage risk in a holistic way.

"Rather, they maintain silos of risk management activity that often use completely different methodologies and tools to model and treat risk," he says. "Security operations, audit/compliance, and business [risk] -- think CFO and board of directors -- are the silos most seen in the wild."

This kind of structure might have worked in the old world, but that is not the case in the age of BYOD, cloud computing, and increased regulatory demands, Fite says.

"It does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk," he says. "To stay relevant and competitive, organizations need to develop a new capability. They need to develop the ability to measure and justify trust."

New business challenges require a new way of managing risk and reward, Fite says.

"By adopting common risk management metrics, innovative controls, and trust management techniques, CSOs and other security practitioners can survive and prosper in the age of cloud computing and shared services," he says. "This will allow for a holistic view of risk across the organization that ensures that limited budgets are allocated in the optimal way."

Don't Forget All Your Quantifiable Returns While Determining ROI
Determining the ROI of IT security is all about comparing potential costs to deploy defensive countermeasures against the perceived value of the resulting reduction of risk, says Joe Fisher, president of Affinity IT Security. While it is easy to quantify those countermeasures, the real trick is to measure all of the benefits.

"It is very easy to underestimate the benefits of an IT security initiative; many are intangible and difficult to estimate," he says. "This can be very challenging until you realize that the value of avoiding negative consequences is both real and quantifiable. In other words, the ROI calculation must recognize and account for the value of avoiding the full scope of economic damages can result from a breach."

Fisher says in order to get a true ROI calculation, there are six major breach cost areas that organizations need to account for avoiding: forensic analysis, remediation, prevention of future attacks, legal liability, brand and reputation damage, and stock price damage.

"The costs of each of these can be estimated, and should be aggregated to form a comprehensive assessment of potential damage," he says. "This can then be discounted by the likelihood of the breach occurring to arrive at a risk adjusted damage estimate."

Typically, the resulting financial benefits dwarf the costs, making for a strong numerical case for risk management investment.

In most cases the resulting benefits dwarf the costs, making the business case for IT security a very strong one.

Match Risk Management To Business Performance Objectives
As organizations think about achieving ROI from security spend, they need to remember that the returns are very different for compliance and for risk management," says Brian Barnier, principal of ValueBridge Advisors. For compliance, cost benefits usually occur due to waste-trimming in processes, whereas risk management brings value to business decision-making processes.

"Risk management tools that make the true state of risks and returns more visible and help make better decisions more quickly naturally bring huge payoffs," Barnier says. "For example, how quickly can an IT system be reconfigured to support a new product, customer, or partner? If not fast enough, take action to change IT to easily enable profitable revenue."

He believes that the truly world-class organizations are the ones that are able to set up their decision-making through a repeatable, standardized framework, such as COBiT or ITIL.

"In this way, risk management always returns a multiple of value by focusing on growing profitable revenue," he says.

Next Page: Consistency is key.

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web