Security Experts:

Raise Your Company's Enterprise Risk Management IQ

A Strong Risk Management Strategy can Provide Efficiencies and Cost Savings in Security Operations.

There’s a lot of discussion these days about security intelligence—specifically, how to improve risk and compliance business processes. A lack of security data isn’t the issue. In fact, the problem is too much data and not enough usable information. Siloed security information, fragmented data points, and not enough security point-product integration have come together to create a mind-numbing challenge for enterprise risk managers and security executives.

Converting Limitless Data into Actionable Information

Risk Management IntelligenceSo how do you use what seems like a limitless supply of scattershot security data to build an effective risk management program? It’s kind of like the age-old challenge of using a higher percentage of your mental capacity. While experts may disagree on the percentage we actually use, almost all agree that we only use a small fraction of our brain’s potential.

A movie released this year, Limitless, put an interesting spin on this concept. The protagonist is an author with a serious case of writer’s block whose friend offers him an experimental drug called NZT that unlocks the full potential of the human brain. He stumbles upon a cache of NZT and in no time is banging out literary masterpieces, ruling the stock market and pretty much controlling the world. But what happens when he runs out of the super drug? That’s a pretty serious risk management issue.

A Smarter Approach to Enterprise Risk Management

Fortunately, you don’t need an endless supply of NZT to raise your company's enterprise risk management IQ. What’s required is a well-thought-out enterprise risk management strategy.

There’s been much discussion over the past few years of the need for IT/business alignment. If you haven’t already done so, this is the logical starting point. This process will provide a better understanding of both IT/business enablement and your enterprise risk environment. There are plenty of articles on this topic, many of which stress the need to involve key business stakeholders in the process.

The next logical step is to align your risk and compliance capabilities with underlying IT control points. Both of these processes will benefit greatly from four key risk management capabilities, which follow four logical steps:

Automatically Assess: Assess and measure security threats and risks—and analyze the potential impact on your business environment.

Intelligently Respond: Respond and mitigate risks and security incidents based on priority and impact to the business.

Proactively Enforce: Proactively lock down your business systems and data, ensuring that only appropriate personnel, systems, and processes can access them.

Monitor in Real Time: ensure that systems and processes are working as expected and adhering to security policies and compliance standards.

Step 1: Automatically Assess

You must be able to measure and analyze your IT environment to understand the underlying security threats and associated risks. However, it’s important to go a step further—to measure the impact those risks pose to your business. To do this effectively requires proactive measurement and analysis. Using old data from an annual compliance audit, or conducting a rear-facing assessment of a system failure results in a perpetual loop of reactive security fire drills. Rather than addressing yesterday’s security issues and incidents, you need to be focusing on potential risks and be able to analyze these risks in a business context, understanding what impact they may have on your business systems and processes.

Step 2: Intelligently Respond

Accurate real-time risk intelligence holds the key to quickly addressing potential security issues, rather than waiting for incidents to occur. You must be able to assess security risks and respond to security incidents in an intelligent, prioritized way. By understanding the risk impact, you may actually be able to disregard certain risks for the time being or have processes or controls in place to stratify and prioritize lower-level threats, while focusing on issues that pose more serious risk to your business.

Step 3: Proactively Enforce

Two proactive security approaches are proving effective at locking down your business systems and data, ensuring that only appropriate personnel and processes can access them.

Application whitelisting allows you to define a specific, secure configuration for a system, application, or database, and disallow the execution of any instruction set that has not been previously approved. It gives you the ability to enforce compliance to a policy, to a security configuration, or to a regulatory requirement. Effective whitelisting prevents hackers and malware from touching those assets or systems.

Virtual patching is another smart approach to proactive enforcement. It captures in memory transaction requests made to a specific database and validates those requests against any known vulnerability prior to allowing database access. Processes can be put in place to make sure that a given vulnerability cannot be exploited.

This is critically important for companies that run legacy databases from vendors who no longer provide patches. Some companies have so many databases that it may take three to six months to patch them all. Virtual patching helps these companies close the vulnerability window using predictive threat protection. It also helps companies address the lag time between when a new vulnerability is discovered and a patch can be developed, distributed, and deployed.

Step 4: Monitor in Real Time

Risk Management StrategiesData access management technologies and security information and event management (SIEM) technologies provide real-time monitoring and incident management as well as log management and compliance reporting. Real-time monitoring is a key to proactive threat detection and effective risk mitigation. It ensures that systems and processes are working as expected and adhering to security policies and compliance standards. Monitoring can be combined with alerting for immediate response to a security threat or non-compliant condition. By comparison, discovering the same situation during quarterly or annual vulnerability testing could result in considerable negative impact to your business. After-the-fact analysis also locks you into a process of reactive risk management.

Get Your Security Synapses Firing on All Cylinders

Creating an enterprise risk management strategy that follows the steps highlighted above will allow you to:

• Better control and manage your enterprise risk and security programs

• Streamline the compliance process and ensure adherence to internal policies and industry regulations

• Improve information security to better protect business-critical systems and proprietary data

What’s more, a strategy of this caliber brings cohesion to your organization’s security program, and when done properly, can provide efficiencies and cost savings in security operations—something that’s on everyone’s mind these days.

view counter
Dave Anderson currently serves as the Senior Director of Solution Marketing for McAfee, where he is responsible for developing market strategy, delivering new technology solutions, and managing global marketing campaigns for McAfee's Risk and Compliance solutions. Dave has 18 years experience within information security and risk management at companies, including SAP, ArcSight, KPMG, and VeriSign. His expertise focuses on strategy and planning, marketing, and operational governance. Dave received his MBA from Duke University, with an emphasis in international management and strategy