Risk
12/27/2012
08:22 PM
Connect Directly
RSS
E-Mail
50%
50%

Better Integrate IT Risk Management With Enterprise Risk Activities

Not only will IT security risks be given greater attention, risk management could affect better business performance as a result

As IT security executives seek to gain greater buy-in for their risk mitigation efforts in 2013, they should be looking to improve their enterprise relevance, experts say. And in order to gain that, IT governance, risk, and compliance (GRC) programming has to be better merged with overall enterprise risk management strategies.

"By aligning IT GRC with its cousins in financial and legal GRC, organizations can accelerate GRC program growth and maturity to better realize the value of information risk management and its disproportionately high impact on operational risk management," says Ben Tomhave, senior consultant for security consultancy LockPath.

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

As Ernst & Young (EY) explained in a report this summer on overall enterprise risk management practices (PDF), risk control and compliance activities tend to grow "fragmented, siloed, independent, and misaligned" as the organization grows. This is a problem considering that the board of directors rarely views risk in separate buckets.

"A challenging economy, natural disasters, and technology threats have dominated the news of recent years," says Jerry Goldberg, partner at Navigate, a management consulting firm in Philadelphia. "Governance boards and executives are under increased scrutiny to provide shareholders with peace of mind that a company's risks -- strategic, operational, financial, and compliance -- are proactively being identified and mitigated."

Unfortunately, when IT risk management is siloed off from the rest of the enterprise risk management program, it becomes difficult to offer that peace of mind when communication is confused because the language that IT risk managers speak doesn't jibe with the language financial risk managers speak, for example.

"Many organizations do not manage risk in a holistic way," says Bryan Fite, BT Assure portfolio manager for BT Global Services U.S. and Canada operations. "However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk."

This is increasingly apropos considering how the intersection of technology with new business processes has upped the relevance of IT risks on overall business operations.

"Business operations are increasingly reliant on information technology, and with the convergence of the business and the information technology environment comes new kinds of vulnerabilities, risks, and threats," says Vasant Balasubramanian, a vice president of product management for GRC vendor MetricStream. "Organizations are quickly turning to IT GRC programs to facilitate true enterprisewide risk management, provide increased resource savings, and ensure compliance with new laws and mandates, all of which enables organizations to thrive in this increasingly complex business and IT landscape."

According to EY consultants, one of the most important steps to achieving a more consistent enterprise risk management approach is to use consistent methods and practices across disparate risk management activities. That means IT security has to coordinate with financial and operational risk managers across the organization. On the flip side, EY also suggests common information and technology platform to collect metrics and track risk management activities.

"Now more than ever, organizations need to have a comprehensive and coordinated governance, risk, and compliance management approach," says Paul van Kessel, global IT risk and assurance leader for EY. "Technology can play an important role in enabling change and in finding the right balance among risk, cost, and value across the enterprise."

Not only will this alignment help meet the baseline goals of reducing immediate risks to technology infrastructure and to the processes it supports, but better alignment with business objectives could give IT risk managers the opportunity to offer greater business value though previously unheard of performance gains.

"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action, facilitating process improvement and re-engineering, and ultimately resulting in performance gains," says Steve Schlarman, eGRC solutions architect for RSA.

In fact, numbers from EY substantiate those claims. The firm found that companies in the top 20 percent of risk maturity generated three times the level of earnings as those in the bottom 20 percent, based on a review of more than 2,750 analyst and company reports.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.