Managing IT risk is an essential component of the business risk management process, which has achieved broader adoption in recent years. However, with the growing number of data breaches and a whole new set of security challenges facing companies, it’s time to re-examine the definition of IT risk management.
There’s a common misconception that IT risk management should be solely focused on assessing “risks within the scope and responsibility of IT, the IT department, or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events” (Magic Quadrant for IT Risk Management, Gartner, March 2015). Instead, IT risk management should take into account security metrics outside the traditional realm of IT controls to address cyber risks.
At last week’s RSA Conference, many vendors were using the term “risk management” in their messaging. This shift illustrates how the industry is moving from a compliance-based to a pro-active, risk-based approach to security.
The increase in security incidents has forced us to reconsider the effectiveness of the traditional approach to IT risk management. We need to move beyond simply focusing on policy management, compliance mapping, security operations analysis and reporting, IT risk assessment, and incident management. Instead, we should augment the traditional view of IT risk management with security operations capabilities that can respond to the dynamic changes in today’s threat landscape.
To gain insight into their risk posture, organizations must go beyond assessing compliance by taking threats and vulnerabilities as well as business impact into account. Only a combination of these three factors assures a holistic view of risk. Compliance-based security models, which are not typically tied to the business criticality of assets, rely on compensating controls that are applied generically and tested accordingly.
Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.
Since cyberattacks can occur any time — point-in-time compliance- and IT-focused security is no longer effective. Instead, a risk-based approach to security as recommended by NIST in SP 800-137 and NIST SP 800-37 (among others) is a better approach.
When applying this model, organizations must automate many otherwise manual, labor-intensive tasks. This, in turn, results in tremendous time and cost savings, reduced risk, improved response readiness, and increased risk-posture visibility. In addition, IT risk management practices must be realigned to include the input of security metrics beyond vulnerability data. Applying risk categorization and scoring to these metrics enables organizations to contextualize threat as well as other security intelligence and gain a holistic view into IT and security risks. This wider perspective is required to defend against cyber threats that may exploit attack surfaces outside of traditional IT controls.