Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

A Holistic View of Risk: Moving Beyond Security Risk Management

The increasing severity and volume of cyber-attacks has motivated many organizations to improve and pay particular attention to security risk management.

The increasing severity and volume of cyber-attacks has motivated many organizations to improve and pay particular attention to security risk management.

Since business operations and IT teams typically work in separate silos and use different information and tools, this leads to redundant data collection, overlapping processes, and higher costs. To alleviate this inefficiency, many organizations are moving towards integrating operational and security risk management across the enterprise.

Typically, organizations manage operational risk and security risk separately, via two distinct organizations. The Chief Risk Office or Compliance Management Office usually is in charge of the company’s operational risk management efforts, which typically bridges information to support IT and non-IT leadership for decision making. These oversight functions include enterprise risk management, third-party risk management, policy management, and business continuity management. Operational risk management is not just focused on assessments and reporting, but rather on a top-down risk data model that drives action-ability to govern business units’ key risk indicators (KRIs). Its primary objective is to fulfill the organization’s obligations to auditors.

IT and OT Risk ManagementOn the other end of the spectrum, security risk management is traditionally under the purview of the Chief Information Officer who is responsible for meeting the organization’s obligations to its board of directors. Security risk management supports information security operations requirements through a closed-loop, data automation process driving intelligence, business unit criticality assessment, and IT operations remediation. This is present in use cases such as threat and vulnerability management, continuous monitoring, as well as IT compliance and incident management. Security risk management is not just about security operations, but rather a bottom-up controls automation approach that drives action-ability against threats, vulnerabilities, and incidents to assure business units’ key performance indicators (KPIs).

Security risk management has received a lot of attention over the last couple of years. There’s been a lot of technology innovation designed to address the challenges associated with gathering, analyzing, normalizing, and prioritizing volumes of massive data feeds to ensure operational efficiency and swift time-to-remediation.

While separating both operational and security risk management has been a common practice, dynamic changes in the threat landscape are forcing organizations to integrate the two disciplines to gain a holistic view into risk. The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack.

A good example is third-party risk management, which typically was being handled within the operational risk management practice. With a growing number of attacks now originating from third-party applications or leveraging third-party credentials to gain backdoor access to the organization, data being captured in the third-party risk management process suddenly becomes essential to conduct proper security risk assessments and vice versa.

In light of this fact, many organizations are applying an integrated approach to risk that takes compliance, threats and vulnerabilities, as well as business impact into account. Only a combination of these three factors assures a holistic view of risk. Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

The transition from a compliance-driven check-box approach to a risk-based model, enables businesses to centralize the ongoing definition, evaluation, remediation, and analysis of their risk posture in a closed-loop process.

Advertisement. Scroll to continue reading.
Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...