Risk
12/27/2012
08:22 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Better Integrate IT Risk Management With Enterprise Risk Activities

Not only will IT security risks be given greater attention, risk management could affect better business performance as a result

As IT security executives seek to gain greater buy-in for their risk mitigation efforts in 2013, they should be looking to improve their enterprise relevance, experts say. And in order to gain that, IT governance, risk, and compliance (GRC) programming has to be better merged with overall enterprise risk management strategies.

"By aligning IT GRC with its cousins in financial and legal GRC, organizations can accelerate GRC program growth and maturity to better realize the value of information risk management and its disproportionately high impact on operational risk management," says Ben Tomhave, senior consultant for security consultancy LockPath.

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

As Ernst & Young (EY) explained in a report this summer on overall enterprise risk management practices (PDF), risk control and compliance activities tend to grow "fragmented, siloed, independent, and misaligned" as the organization grows. This is a problem considering that the board of directors rarely views risk in separate buckets.

"A challenging economy, natural disasters, and technology threats have dominated the news of recent years," says Jerry Goldberg, partner at Navigate, a management consulting firm in Philadelphia. "Governance boards and executives are under increased scrutiny to provide shareholders with peace of mind that a company's risks -- strategic, operational, financial, and compliance -- are proactively being identified and mitigated."

Unfortunately, when IT risk management is siloed off from the rest of the enterprise risk management program, it becomes difficult to offer that peace of mind when communication is confused because the language that IT risk managers speak doesn't jibe with the language financial risk managers speak, for example.

"Many organizations do not manage risk in a holistic way," says Bryan Fite, BT Assure portfolio manager for BT Global Services U.S. and Canada operations. "However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk."

This is increasingly apropos considering how the intersection of technology with new business processes has upped the relevance of IT risks on overall business operations.

"Business operations are increasingly reliant on information technology, and with the convergence of the business and the information technology environment comes new kinds of vulnerabilities, risks, and threats," says Vasant Balasubramanian, a vice president of product management for GRC vendor MetricStream. "Organizations are quickly turning to IT GRC programs to facilitate true enterprisewide risk management, provide increased resource savings, and ensure compliance with new laws and mandates, all of which enables organizations to thrive in this increasingly complex business and IT landscape."

According to EY consultants, one of the most important steps to achieving a more consistent enterprise risk management approach is to use consistent methods and practices across disparate risk management activities. That means IT security has to coordinate with financial and operational risk managers across the organization. On the flip side, EY also suggests common information and technology platform to collect metrics and track risk management activities.

"Now more than ever, organizations need to have a comprehensive and coordinated governance, risk, and compliance management approach," says Paul van Kessel, global IT risk and assurance leader for EY. "Technology can play an important role in enabling change and in finding the right balance among risk, cost, and value across the enterprise."

Not only will this alignment help meet the baseline goals of reducing immediate risks to technology infrastructure and to the processes it supports, but better alignment with business objectives could give IT risk managers the opportunity to offer greater business value though previously unheard of performance gains.

"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action, facilitating process improvement and re-engineering, and ultimately resulting in performance gains," says Steve Schlarman, eGRC solutions architect for RSA.

In fact, numbers from EY substantiate those claims. The firm found that companies in the top 20 percent of risk maturity generated three times the level of earnings as those in the bottom 20 percent, based on a review of more than 2,750 analyst and company reports.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web