Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
03:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

When Compliance Isn't Enough: A Case for Integrated Risk Management

Why governance, risk, and compliance solutions lull companies into a false sense of security, and how to form a more effective approach.

The governance, risk, and compliance (GRC) approach to risk management is proving insufficient as companies grapple with myriad tools amid a false sense of security. Instead they now are turning to integrated risk management (IRM) and risk quantification to inform strategies.

"What we are seeing, and have seen over the last five years, is a pivot away from more of a compliance-focused approach around IT and security risk that you'd typically find in a GRC program, or even in utilizing GRC technology," says John Wheeler, global research leader for Gartner's Risk Management Technology division. His focus is on IRM, which involves different ways to address risk and potentially transfer risk vehicles; for example, cyber insurance.

GRC, now around for nearly two decades, stemmed from a growing need to address the broad landscape of compliance mandates security pros face year after year, Wheeler says. While helpful in meeting said mandates, companies that invested more in GRC-specific tools found themselves in a "potpourri" of products either purpose-built to address a specific compliance requirement or limited in its ability to understand risks unique and specific to the organization.

"For many organizations, they may have a false sense of security," he adds. "If they think they are compliant with regulations, risks are addressed … [this] couldn't be further from the truth."

It is imperative companies understand their individual risk profile, Wheeler continues; out of that will come a greater ability to meet compliance mandates that are relevant to the business. Rather than focus on GRC, many are turning to IRM so they can comprehend how IT risk, and cybersecurity requirements and posture, fits into and aligns with broader operational risk.

"[IRM is] taking it beyond technology into the realm of people and process risk, and ultimately all the way up to overall strategic risk of an organization, such that they can understand their security and IT risk aligned with where the organization is headed strategically," he explains.

IRM is a "forward-looking risk posture" in that it considers the most strategic initiatives a business is taking on, and where it's headed, as opposed to reporting on historical security incidents. While past events are important and can inform an enterprise approach to security, they make up only a small piece of the picture – and one senior executives and board members can't fully appreciate as it has little relevance to what they're hoping to achieve in the future.

Context is Key: Why IRM is Different  

The core of IRM is the ability to perform risk assessment at an asset-based level, which aligns with the IT or cybersecurity world, says Wheeler, who spoke about the approach at this week's FAIR Conference, held in Washington, D.C. Most IT and security pros assess the risk of their hardware, software, and data assets to determine which of these are most critical.

"That is important, but what they lack is context of how those assets are also tied into the broader business," he says. They need to take the risk assessment of a given process, and the people involved, and tie those into asset-based risk assessment to realize how they intersect.

For example, you may have a server on the network deemed critical, but in reality, it doesn't support any critical business processes, so it doesn't need to be highly ranked. At the same time, you may have an asset labeled non-critical, located outside the core network and tied into a highly critical business process. For that reason, it will need to be treated differently. These risk assessments can help IT better understand how different systems relate to one another; in doing this, they can better prioritize their work efforts and resource allocation, he adds.

IRM is helpful in informing the development of new products and services, says Wheeler, as it provides a vertical view of risk through the company. This is "essential" in helping businesses address digital risk management as it relates to the creation and delivery of new digital products and services, an issue of great importance to CEOs who want to use these to grow.

"To do that effectively, they need to have that vertical view of risk down through the organization to give them better understanding and visibility into the risk they face with digital products and services," Wheeler says. "Not only for developing a business case, but then as it progresses from business case to design and delivery, understanding how risk profile changes."

Navigating Shifts and Challenges

Wheeler acknowledges adopting IRM comes with its obstacles: while security pros can use tools and methodologies to better quantify risk, he says, it will never be precise in its calculation.

"It's unlike, say, financial risk, when you get into credit risk or market risk, where you can be very precise in the amount of risk that needs to be mitigated or transferred," he explains. The goal of this exercise should be "directionally correct," as he puts it, instead of entirely exact. With that expectation, organizations can focus on creating and maintaining a dialogue around IT and cybersecurity risk, and make decisions based on the directionally correct data they have.

He also points to a shift occurring within many organizations, which are seeing more and more risk borne by people within the business as opposed to technology experts and leaders. As this is happening, tech is moving into a frontline activity as it supports products and services. This accountability will drive a desire within the business to be engaged and understand the risk.

With that engagement, an understanding must be made. IT and security pros can provide risk data, but everyone must keep in mind the focus of the risk itself as opposed to the process of calculating the risk amount. In his personal experience, Wheeler says much of the conversation between business and technology devolves into a discussion of how a risk amount was calculated – which avoids the goal of addressing risk in a way that drives the business forward.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.