Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/27/2012
08:22 PM
50%
50%

Better Integrate IT Risk Management With Enterprise Risk Activities

Not only will IT security risks be given greater attention, risk management could affect better business performance as a result

As IT security executives seek to gain greater buy-in for their risk mitigation efforts in 2013, they should be looking to improve their enterprise relevance, experts say. And in order to gain that, IT governance, risk, and compliance (GRC) programming has to be better merged with overall enterprise risk management strategies.

"By aligning IT GRC with its cousins in financial and legal GRC, organizations can accelerate GRC program growth and maturity to better realize the value of information risk management and its disproportionately high impact on operational risk management," says Ben Tomhave, senior consultant for security consultancy LockPath.

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

As Ernst & Young (EY) explained in a report this summer on overall enterprise risk management practices (PDF), risk control and compliance activities tend to grow "fragmented, siloed, independent, and misaligned" as the organization grows. This is a problem considering that the board of directors rarely views risk in separate buckets.

"A challenging economy, natural disasters, and technology threats have dominated the news of recent years," says Jerry Goldberg, partner at Navigate, a management consulting firm in Philadelphia. "Governance boards and executives are under increased scrutiny to provide shareholders with peace of mind that a company's risks -- strategic, operational, financial, and compliance -- are proactively being identified and mitigated."

Unfortunately, when IT risk management is siloed off from the rest of the enterprise risk management program, it becomes difficult to offer that peace of mind when communication is confused because the language that IT risk managers speak doesn't jibe with the language financial risk managers speak, for example.

"Many organizations do not manage risk in a holistic way," says Bryan Fite, BT Assure portfolio manager for BT Global Services U.S. and Canada operations. "However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk."

This is increasingly apropos considering how the intersection of technology with new business processes has upped the relevance of IT risks on overall business operations.

"Business operations are increasingly reliant on information technology, and with the convergence of the business and the information technology environment comes new kinds of vulnerabilities, risks, and threats," says Vasant Balasubramanian, a vice president of product management for GRC vendor MetricStream. "Organizations are quickly turning to IT GRC programs to facilitate true enterprisewide risk management, provide increased resource savings, and ensure compliance with new laws and mandates, all of which enables organizations to thrive in this increasingly complex business and IT landscape."

According to EY consultants, one of the most important steps to achieving a more consistent enterprise risk management approach is to use consistent methods and practices across disparate risk management activities. That means IT security has to coordinate with financial and operational risk managers across the organization. On the flip side, EY also suggests common information and technology platform to collect metrics and track risk management activities.

"Now more than ever, organizations need to have a comprehensive and coordinated governance, risk, and compliance management approach," says Paul van Kessel, global IT risk and assurance leader for EY. "Technology can play an important role in enabling change and in finding the right balance among risk, cost, and value across the enterprise."

Not only will this alignment help meet the baseline goals of reducing immediate risks to technology infrastructure and to the processes it supports, but better alignment with business objectives could give IT risk managers the opportunity to offer greater business value though previously unheard of performance gains.

"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action, facilitating process improvement and re-engineering, and ultimately resulting in performance gains," says Steve Schlarman, eGRC solutions architect for RSA.

In fact, numbers from EY substantiate those claims. The firm found that companies in the top 20 percent of risk maturity generated three times the level of earnings as those in the bottom 20 percent, based on a review of more than 2,750 analyst and company reports.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...