Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

A Holistic View of Risk: Moving Beyond Security Risk Management

The increasing severity and volume of cyber-attacks has motivated many organizations to improve and pay particular attention to security risk management.

The increasing severity and volume of cyber-attacks has motivated many organizations to improve and pay particular attention to security risk management.

Since business operations and IT teams typically work in separate silos and use different information and tools, this leads to redundant data collection, overlapping processes, and higher costs. To alleviate this inefficiency, many organizations are moving towards integrating operational and security risk management across the enterprise.

Typically, organizations manage operational risk and security risk separately, via two distinct organizations. The Chief Risk Office or Compliance Management Office usually is in charge of the company’s operational risk management efforts, which typically bridges information to support IT and non-IT leadership for decision making. These oversight functions include enterprise risk management, third-party risk management, policy management, and business continuity management. Operational risk management is not just focused on assessments and reporting, but rather on a top-down risk data model that drives action-ability to govern business units’ key risk indicators (KRIs). Its primary objective is to fulfill the organization’s obligations to auditors.

IT and OT Risk ManagementOn the other end of the spectrum, security risk management is traditionally under the purview of the Chief Information Officer who is responsible for meeting the organization’s obligations to its board of directors. Security risk management supports information security operations requirements through a closed-loop, data automation process driving intelligence, business unit criticality assessment, and IT operations remediation. This is present in use cases such as threat and vulnerability management, continuous monitoring, as well as IT compliance and incident management. Security risk management is not just about security operations, but rather a bottom-up controls automation approach that drives action-ability against threats, vulnerabilities, and incidents to assure business units’ key performance indicators (KPIs).

Security risk management has received a lot of attention over the last couple of years. There’s been a lot of technology innovation designed to address the challenges associated with gathering, analyzing, normalizing, and prioritizing volumes of massive data feeds to ensure operational efficiency and swift time-to-remediation.

While separating both operational and security risk management has been a common practice, dynamic changes in the threat landscape are forcing organizations to integrate the two disciplines to gain a holistic view into risk. The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack.

A good example is third-party risk management, which typically was being handled within the operational risk management practice. With a growing number of attacks now originating from third-party applications or leveraging third-party credentials to gain backdoor access to the organization, data being captured in the third-party risk management process suddenly becomes essential to conduct proper security risk assessments and vice versa.

In light of this fact, many organizations are applying an integrated approach to risk that takes compliance, threats and vulnerabilities, as well as business impact into account. Only a combination of these three factors assures a holistic view of risk. Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

Advertisement. Scroll to continue reading.

The transition from a compliance-driven check-box approach to a risk-based model, enables businesses to centralize the ongoing definition, evaluation, remediation, and analysis of their risk posture in a closed-loop process.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...