7 Risk Management Priorities For 2013CISOs seek more discipline in measuring and mitigating risk in the coming year
As CISOs and risk management pros gear up for a new year, they'll be tasked with sheltering their organizations from a highly dynamic threat environment through a renewed sense of discipline as regulators, executives, and shareholders increasingly turn the microscope on their IT security practices. In order to improve and coalesce security practices, it'll take work to line them up with maturing risk management philosophies. According to risk management experts, consultants, and practitioners, enterprises are likely to turn to the following risk management priorities in 2013 to achieve their security objectives.
1. Getting Quantitative
First and foremost, risk management professionals are going to be asked to better measure the performance of their work in the coming year.
"The 2013 trend will be to shift away from risk management implementation and toward the measurement of the performance of those programs," says Tim Erlin, director of IT security and risk strategy for nCircle. "More organizations are losing their security innocence, and they will begin targeting the good, rather than the perfect. Performance management will allow faster, more practical evolution of risk strategies.
According to Doug Landoll, CEO of Assero Security and author of "The Security Risk Assessment Handbook," organizations have got to do a better job getting their hands around the slippery task of quantitative analysis.
"Too many risk assessments, gap assessments, surveys, and other 'measurements' of a security program are based on shaky methods and flawed data gathering," he says.
Landoll suggests that organizations take a balanced approach to measurement through what he calls the Review, Interview, Inspect, Observe, and Test (RIIOT) method. This includes the review of documents about security rules, configurations and controls, interviews of key personnel, inspection of security controls, observation of personnel behavior, and testing of security controls.
[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]
2. Using GRC To Improve Business And IT Processes
Not only will security professionals be looking to prove the mettle of their risk management programs through measurable security performance metrics -- they'll also add even more value by finding ways to use those investments to help improve IT and business processes.
"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action," says Steve Schlarman, eGRC solutions architect for RSA, "facilitating process improvement and re-engineering, ultimately resulting in performance gains."
3. Supply Chain Risk Management
As we move into 2013, Bryan Fite, security and mobility portfolio manager for the U.S and Canada at BT, says to expect more disclosures and discoveries around major supply chain channels. This will put pressure on IT to better assess and manage the risks before they cost the organization.
"Whether it's compromised business partners, Trojaned chips, backdoored embedded systems, broken business processes, rogue humans, or crafty nation-states -- next year we'll see a renewed interest in the subject," Fite says.
4. Human Risks
As more organizations take a cold, hard look at how much human risk factors cost them in IT security incidents compared to any other factor, they'll be looking for better ways to mitigate the risks their people pose.
"Human-risk factors are becoming a key focus thanks to the combination of readily accessible cloud services, BYOD policies that officially sanction data exfiltration, and the increasingly apparent need to reassert a culture of accountability," says Ben Tomhave, senior consultant for LockPath.
How this will affect awareness program implementation is still in the air, but Scott Gréaux, vice president of product management and services for PhishMe, believes it will require a better measurement of how well training is getting through to employees.
"Risk management teams need to stop measuring awareness in page views and number of minutes a user has been in training, and start to focus on critical output metrics, such as user susceptibility and user reported incidents," he says.
5. Continuous Monitoring
A longtime brass ring for which IT security professionals have been reaching, continuous monitoring is likely to be a big priority for many organizations again in 2013.
"This would include everything from near real-time regulatory compliance checking to near real-time vulnerability detection," says Dan Sherman, director of information security for Telos Corp. "You cannot defend a network without knowing what is happening on it."
Dr. Mike Lloyd says to expect continuous monitoring initiatives to move beyond FISMA and NIST origins.
"Continuous monitoring will be taken up by [or required of] anyone doing business with the U.S. government, and will end the year closer to being a standard 'best practice' for all organizations," says Lloyd, CTO of Red Seal Networks
6. Speaking The Language
Penetration testing reports, SIEM outputs, and gap assessment action items might be essential to a CISO in advancing risk management maturity, but they won't translate themselves, Landoll says.
"In 2013, CISOs will finally be required to learn the language of the boardroom and need to speak SWOT, ROI, IRR, due diligence, payback period, and other MBA terms," he says. "Your security strategy will need to be mapped to business objectives with clear metrics for tracking progress and tactics for managing success."
7. Incident Preparedness
Increasingly, IT risk managers are learning that they not only need to mitigate risks that lead to a security incident to occur, but also to control the risks following an event. According to Chip Tsantes, incident preparedness will be a top priority in the coming year.
"Companies must be thinking about how to react as a firm, not as a security team. To prepare, they should identify the right contacts, establish appropriate contracts, and define a communication plan and procedures to save valuable time during an attack," says Tsantes, a consultant with Ernst & Young's Information Security Advisory Services.
According to Gréaux, most organizations today are "woefully unprepared" and use outdated and underdeveloped response plans. Not only do they need to work on those, but they also need to put in place detection mechanisms that allow them to find and isolate problems as quickly as possible.
"Making real-time decisions may be ineffective or cause additional damage. Although many organizations employ SIEMs and other 'big data' solutions to help them identify incidents, most have not properly tuned their solutions to properly alert on probable incidents," he says, explaining that many organizations will look to outsource the work to incident detection and response service providers.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.