Risk management is a hot topic these days. Many industry publications have shifted their focus away from compliance or security to risk management practices. Newer regulations and industry standards are now mandating a risk-based approach to security. This is forcing many organizations to transition from a compliance, check-box driven approach to a more pro-active, risk-based view of security.
Risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. This can sometimes feel like trying to find a needle in a haystack. So how can risk and security professionals harness the potential of big data to identify risks that threaten the organization most?
For many years, businesses either focused on achieving compliance or taking preventive measures to strengthen their security posture. Endless data breaches have proven that neither approach is necessarily effective in minimizing risk. In fact, you could even argue that for years organizations may have misaligned their resources and funds in fighting threats.
What does this mean? Well, when an organization is solely focused on strengthening its compliance posture to pass an audit, they primarily look at control failures and gaps and try to mitigate them. However, if there is no threat that could reach the vulnerability in the context of the control gap, why bother? The same applies to vulnerabilities discovered by an organization focused on improving their security posture. Even if a vulnerability can be reached by an existing threat, choosing the right remediation method should also take into account whether any compensating controls are in place that might mitigate the risk. Furthermore, any decision related to resource allocation should be driven in conjunction with the business criticality a compliance or security shortcoming poses.
That’s where the rubber meets the road in risk management. In other words, risk management must take a variety of factors (such as compliance posture, threats, vulnerabilities, reachability, and business criticality) into account to derive a holistic view and ensure the efficient alignment of resources for remediation actions. In principal this sounds logical. However, if we just consider threat assessments, an organization can quickly accumulate huge amounts of data from their network, web assets, social media, reputation, etc. that needs to be combed through.
Even mid-sized organizations, are subject to dozens of regulations that mandate thousands of controls and have to deal with hundreds of pages of security findings, ranging from vulnerabilities, threats to incidents. Then these must be correlated with thousands of assets that represent different business levels of criticality. Using human labor, email, Excel spreadsheets, and survey results to transition to a risk-based approach is unfeasible.
Fortunately, new technology – big data risk management – is emerging that helps to not only to aggregate compliance, threat, and vulnerability data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is increased operational efficiency and faster time-to-remediation.

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).
More from Torsten George
- Today’s Cyber Defense Challenges: Complexity and a False Sense of Security
- Why Endpoint Resilience Matters
- Ransomware Attacks: Don’t Let Your Guard Down
- Password Dependency: How to Break the Cycle
- Is Enterprise VPN on Life Support or Ripe for Reinvention?
- Cyber Resilience: The New Strategy to Cope With Increased Threats
- Cybersecurity Awareness Month: 5 Actionable Tips
- “Left and Right of Boom” – Having a Winning Strategy
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
