The increasing severity and volume of cyber-attacks has motivated many organizations to improve and pay particular attention to security risk management.
Since business operations and IT teams typically work in separate silos and use different information and tools, this leads to redundant data collection, overlapping processes, and higher costs. To alleviate this inefficiency, many organizations are moving towards integrating operational and security risk management across the enterprise.
Typically, organizations manage operational risk and security risk separately, via two distinct organizations. The Chief Risk Office or Compliance Management Office usually is in charge of the company’s operational risk management efforts, which typically bridges information to support IT and non-IT leadership for decision making. These oversight functions include enterprise risk management, third-party risk management, policy management, and business continuity management. Operational risk management is not just focused on assessments and reporting, but rather on a top-down risk data model that drives action-ability to govern business units’ key risk indicators (KRIs). Its primary objective is to fulfill the organization’s obligations to auditors.
On the other end of the spectrum, security risk management is traditionally under the purview of the Chief Information Officer who is responsible for meeting the organization’s obligations to its board of directors. Security risk management supports information security operations requirements through a closed-loop, data automation process driving intelligence, business unit criticality assessment, and IT operations remediation. This is present in use cases such as threat and vulnerability management, continuous monitoring, as well as IT compliance and incident management. Security risk management is not just about security operations, but rather a bottom-up controls automation approach that drives action-ability against threats, vulnerabilities, and incidents to assure business units’ key performance indicators (KPIs).
Security risk management has received a lot of attention over the last couple of years. There’s been a lot of technology innovation designed to address the challenges associated with gathering, analyzing, normalizing, and prioritizing volumes of massive data feeds to ensure operational efficiency and swift time-to-remediation.
While separating both operational and security risk management has been a common practice, dynamic changes in the threat landscape are forcing organizations to integrate the two disciplines to gain a holistic view into risk. The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack.
A good example is third-party risk management, which typically was being handled within the operational risk management practice. With a growing number of attacks now originating from third-party applications or leveraging third-party credentials to gain backdoor access to the organization, data being captured in the third-party risk management process suddenly becomes essential to conduct proper security risk assessments and vice versa.
In light of this fact, many organizations are applying an integrated approach to risk that takes compliance, threats and vulnerabilities, as well as business impact into account. Only a combination of these three factors assures a holistic view of risk. Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.
The transition from a compliance-driven check-box approach to a risk-based model, enables businesses to centralize the ongoing definition, evaluation, remediation, and analysis of their risk posture in a closed-loop process.
