Risk management is a hot topic these days. Many industry publications have shifted their focus away from compliance or security to risk management practices. Newer regulations and industry standards are now mandating a risk-based approach to security. This is forcing many organizations to transition from a compliance, check-box driven approach to a more pro-active, risk-based view of security.
Risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. This can sometimes feel like trying to find a needle in a haystack. So how can risk and security professionals harness the potential of big data to identify risks that threaten the organization most?
For many years, businesses either focused on achieving compliance or taking preventive measures to strengthen their security posture. Endless data breaches have proven that neither approach is necessarily effective in minimizing risk. In fact, you could even argue that for years organizations may have misaligned their resources and funds in fighting threats.
What does this mean? Well, when an organization is solely focused on strengthening its compliance posture to pass an audit, they primarily look at control failures and gaps and try to mitigate them. However, if there is no threat that could reach the vulnerability in the context of the control gap, why bother? The same applies to vulnerabilities discovered by an organization focused on improving their security posture. Even if a vulnerability can be reached by an existing threat, choosing the right remediation method should also take into account whether any compensating controls are in place that might mitigate the risk. Furthermore, any decision related to resource allocation should be driven in conjunction with the business criticality a compliance or security shortcoming poses.
That’s where the rubber meets the road in risk management. In other words, risk management must take a variety of factors (such as compliance posture, threats, vulnerabilities, reachability, and business criticality) into account to derive a holistic view and ensure the efficient alignment of resources for remediation actions. In principal this sounds logical. However, if we just consider threat assessments, an organization can quickly accumulate huge amounts of data from their network, web assets, social media, reputation, etc. that needs to be combed through.
Even mid-sized organizations, are subject to dozens of regulations that mandate thousands of controls and have to deal with hundreds of pages of security findings, ranging from vulnerabilities, threats to incidents. Then these must be correlated with thousands of assets that represent different business levels of criticality. Using human labor, email, Excel spreadsheets, and survey results to transition to a risk-based approach is unfeasible.
Fortunately, new technology – big data risk management – is emerging that helps to not only to aggregate compliance, threat, and vulnerability data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is increased operational efficiency and faster time-to-remediation.
