informa
2 min read
Quick Hits

Monitoring And Reporting IT Security Risk In Your Organization

To implement a risk-based approach to security, you must be able to gauge and report risk. Here are some tips on how to do it right
[Excerpted from "Monitoring and Reporting IT Security Risk in Your Organization," a new report posted this week on Dark Reading's Risk Management Tech Center.]

One of the chief problems facing organizations serious about risk management is the fact that risk changes constantly. Risks increase, diminish or evolve in scope according to a number of factors, including technology changes, business changes, and organizational strategy and direction changes.

As changes come faster and faster because of increases in the pace of technical innovation and business agility, the overall level of risk for any organization rises. This puts organizations that want to approach risk systematically in a bit of a quandary -- specifically, how can changes to risk level be monitored and reflected in future practices and defenses? What risk monitoring and reporting techniques are timely enough to allow organizations to take action?

You need some way to hone your organization's security data into risk calculations -- to ensure that you're harvesting useful inputs, to ensure that you process input at an interval that makes sense and to ensure that you're reporting on it in a way that executives can use. This isn't always easy.

To start, it's useful to determine what metrics make the most sense in light of the risk assessment methodology you intend to use. To select the values that are most useful for this purpose, it's important to first understand the inputs to the risk management equation individually so you select values that are realistic indicators. You'll need to measure:

* Information about the assets that your organization may use to support the business

* Information about the threats that those assets may encounter in the context of how you will use them

* Vulnerabilities that the assets may have

* Cost and other impacts should these vulnerabilities be exploited

Each piece of information listed here is integral to understanding your overall risk. This means that you'll want to think through what you can evaluate to derive values (that are as meaningful as possible) for each one of these areas.

To get a list of possible metrics that your organization can use to measure risk -- and some ideas on how to report them -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.