Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/27/2012
08:22 PM
50%
50%

Better Integrate IT Risk Management With Enterprise Risk Activities

Not only will IT security risks be given greater attention, risk management could affect better business performance as a result

As IT security executives seek to gain greater buy-in for their risk mitigation efforts in 2013, they should be looking to improve their enterprise relevance, experts say. And in order to gain that, IT governance, risk, and compliance (GRC) programming has to be better merged with overall enterprise risk management strategies.

"By aligning IT GRC with its cousins in financial and legal GRC, organizations can accelerate GRC program growth and maturity to better realize the value of information risk management and its disproportionately high impact on operational risk management," says Ben Tomhave, senior consultant for security consultancy LockPath.

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

As Ernst & Young (EY) explained in a report this summer on overall enterprise risk management practices (PDF), risk control and compliance activities tend to grow "fragmented, siloed, independent, and misaligned" as the organization grows. This is a problem considering that the board of directors rarely views risk in separate buckets.

"A challenging economy, natural disasters, and technology threats have dominated the news of recent years," says Jerry Goldberg, partner at Navigate, a management consulting firm in Philadelphia. "Governance boards and executives are under increased scrutiny to provide shareholders with peace of mind that a company's risks -- strategic, operational, financial, and compliance -- are proactively being identified and mitigated."

Unfortunately, when IT risk management is siloed off from the rest of the enterprise risk management program, it becomes difficult to offer that peace of mind when communication is confused because the language that IT risk managers speak doesn't jibe with the language financial risk managers speak, for example.

"Many organizations do not manage risk in a holistic way," says Bryan Fite, BT Assure portfolio manager for BT Global Services U.S. and Canada operations. "However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk."

This is increasingly apropos considering how the intersection of technology with new business processes has upped the relevance of IT risks on overall business operations.

"Business operations are increasingly reliant on information technology, and with the convergence of the business and the information technology environment comes new kinds of vulnerabilities, risks, and threats," says Vasant Balasubramanian, a vice president of product management for GRC vendor MetricStream. "Organizations are quickly turning to IT GRC programs to facilitate true enterprisewide risk management, provide increased resource savings, and ensure compliance with new laws and mandates, all of which enables organizations to thrive in this increasingly complex business and IT landscape."

According to EY consultants, one of the most important steps to achieving a more consistent enterprise risk management approach is to use consistent methods and practices across disparate risk management activities. That means IT security has to coordinate with financial and operational risk managers across the organization. On the flip side, EY also suggests common information and technology platform to collect metrics and track risk management activities.

"Now more than ever, organizations need to have a comprehensive and coordinated governance, risk, and compliance management approach," says Paul van Kessel, global IT risk and assurance leader for EY. "Technology can play an important role in enabling change and in finding the right balance among risk, cost, and value across the enterprise."

Not only will this alignment help meet the baseline goals of reducing immediate risks to technology infrastructure and to the processes it supports, but better alignment with business objectives could give IT risk managers the opportunity to offer greater business value though previously unheard of performance gains.

"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action, facilitating process improvement and re-engineering, and ultimately resulting in performance gains," says Steve Schlarman, eGRC solutions architect for RSA.

In fact, numbers from EY substantiate those claims. The firm found that companies in the top 20 percent of risk maturity generated three times the level of earnings as those in the bottom 20 percent, based on a review of more than 2,750 analyst and company reports.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.