Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Myth-Buster: Addressing IT Risk Management Misconceptions

Managing IT risk is an essential component of the business risk management process, which has achieved broader adoption in recent years. However, with the growing number of data breaches and a whole new set of security challenges facing companies, it’s time to re-examine the definition of IT risk management.

Managing IT risk is an essential component of the business risk management process, which has achieved broader adoption in recent years. However, with the growing number of data breaches and a whole new set of security challenges facing companies, it’s time to re-examine the definition of IT risk management.

There’s a common misconception that IT risk management should be solely focused on assessing “risks within the scope and responsibility of IT, the IT department, or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events” (Magic Quadrant for IT Risk Management, Gartner, March 2015). Instead, IT risk management should take into account security metrics outside the traditional realm of IT controls to address cyber risks.

Managing IT RiskAt last week’s RSA Conference, many vendors were using the term “risk management” in their messaging. This shift illustrates how the industry is moving from a compliance-based to a pro-active, risk-based approach to security.

The increase in security incidents has forced us to reconsider the effectiveness of the traditional approach to IT risk management. We need to move beyond simply focusing on policy management, compliance mapping, security operations analysis and reporting, IT risk assessment, and incident management. Instead, we should augment the traditional view of IT risk management with security operations capabilities that can respond to the dynamic changes in today’s threat landscape.

To gain insight into their risk posture, organizations must go beyond assessing compliance by taking threats and vulnerabilities as well as business impact into account. Only a combination of these three factors assures a holistic view of risk. Compliance-based security models, which are not typically tied to the business criticality of assets, rely on compensating controls that are applied generically and tested accordingly.

Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

Since cyberattacks can occur any time — point-in-time compliance- and IT-focused security is no longer effective. Instead, a risk-based approach to security as recommended by NIST in SP 800-137 and NIST SP 800-37 (among others) is a better approach.

When applying this model, organizations must automate many otherwise manual, labor-intensive tasks. This, in turn, results in tremendous time and cost savings, reduced risk, improved response readiness, and increased risk-posture visibility. In addition, IT risk management practices must be realigned to include the input of security metrics beyond vulnerability data. Applying risk categorization and scoring to these metrics enables organizations to contextualize threat as well as other security intelligence and gain a holistic view into IT and security risks. This wider perspective is required to defend against cyber threats that may exploit attack surfaces outside of traditional IT controls.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...