Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/16/2012
07:31 AM
50%
50%

4 Reasons Why IT Security Needs Risk Management

Risk management ties infosec to the rest of the enterprise

If IT security departments want to truly meet the risks posed by today's advanced threats, they need to get more scientific with how they develop their strategies. Because based on the breach statistics and malware infection rates, the old methods aren't even close to adequate, security experts warn.

[Empower your users to stop big breaches. See When Will End Users Stop Being Fooled By Online Scams?. ]

"Traditional IT security has what I think of as a Sisyphus complex," says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. "Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill."

According to Goerlich and many of his peers, if security organizations are to evolve past that daily toil and affect meaningful change on their respective businesses, they need to embed risk management principles in their decision-making framework. Here are some of the reasons why these experts believe risk management is a must.

Helps Prioritize The Deluge
With too few infosec professionals and too many systems to cover, the traditional boulder-rolling approach makes it difficult to prioritize what rocks to push up the hill first, Goerlich says.

"Moreover, rolling the boulder isn’t the goal of security, but rather the goal is securing the ability of the organization to accomplish its mission," he says. "Risk management is an important technique that focuses security efforts on the organization’s mission and prioritizes efforts on critical systems."

Risk analysis and management based on that analysis makes it possible to do more with less, says Jon Callas, CTO of Entrust.

"By analyzing which threats have which resources allocated to them, combined with measuring the consequences of any type of security failure, you can better understand what you are doing and why you are doing it," he says.

Translates Security Into Language Of Business
According to Conrad Constantine, research engineer at AlienVault, risk management is what ties information security to the rest of the enterprise.

"Security without risk management behind it is an intellectual exercise carried out at the expense of the company," he says.

Rather than sending infosec employees on wild goose chases to defend against the scariest sounding threats, risk management takes a dollars-and-cents approach that grounds IT back to the reality of what it is trying to do—protect the organization's investment in information systems.

"Would you spend $2000 to protect something that is worth $2000? It wouldn't make sense, right? Well, without risk assessment, you can't evaluate your risk and hence you can't evaluate what you should be spending," says Pierluigi Stella, CTO, Network Box USA. "Proper risk management is important to understand even just how much to spend. What are you protecting? What is it worth to you? What will the consequences be to your company if you lose that information or if it falls in the wrong hands? Assess it, and then manage it."

According to Bryan Fite of BT Global Services, risk management is a little bit of a misnomer.

"It should be called Risk & Reward management, because that's how business decisions are made. To get your seat at the table, you must speak in terms the business understands which is money," says Fite, BT Assure Portfolio Manager, U.S. & Canada, BT Global Services. "By adopting a normalized and accepted language, the security professional can commutate more effectively with those who control the budgets and dictate policy.

Drops Security Fixation On Technology
By re-centering the conversation on business priorities, risk management naturally expands IT security's horizons beyond the technology, an effect that can go a long way towards improving the organization's defensive success rate.

"Simply having security technology is not enough," says Jody Brazil, president and CTO of FireMon. "If the technology is not effectively configured, it will fail to provide the intended security. Risk management evaluates the effectiveness of the technology, as well as the people and processes managing that technology

Because as any reader of Kevin Mitnick will attest, security lapses are more often caused by broken processes and poor decisions made by people than by bad technology.

"Too many companies think of security as some hardware they can deploy, without realizing that they have no idea where their weak points are and they do not have proper processes and procedures to ensure that money they spent on technology comes to fruition," says Stella. "What good is a shredder if my employees photocopy someone's SSN card and then throw that copy in the trash?"

Inserts IT Security In Business' Big Picture
Perhaps most importantly, risk management practices insert IT security into the business' big picture, contextualizing activities with how they affect the ability of the business to continue to innovate and thrive.

"Too many companies view security as something that belongs only to the IT department whereas risk assessment and management is a business process and belongs to all the business units," Stella says. "Proper risk management is done when IT is only the project manager but every single business unit contributes its own knowledge to the process; and this needs to start from the top, from the C levels."

But this may well be why IT risk management is such a non-starter at many organizations, he says.

"C levels are too busy to bother; business units don't understand the importance of their involvement; and IT is left alone to fight the battle for everyone," he says. "So what's the IT dept to do? They buy a piece of technology and declare done. But the issues were not really resolved because no one did a true and thorough risk assessment, so later there is nothing to be managed."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.