Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

The Real Inhibitors of Risk Management

Over the past two years, risk management has gained a lot of attention in the media and among practitioners. Even though it has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted a pro-active approach to addressing risks. What are the inhibitors to risk management and how can companies overcome them?

Over the past two years, risk management has gained a lot of attention in the media and among practitioners. Even though it has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted a pro-active approach to addressing risks. What are the inhibitors to risk management and how can companies overcome them?

In today’s threat-driven environment the bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack. This has led many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) to change their approach and incorporate the concept of risk management into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.

Rather than following the traditional compliance-driven approach to risk management which promotes a check-box mentality, the renewed guidelines encourage organizations to find ways to streamline governance processes, continuously monitor compliance and their security posture, and correlate it to business criticality.

Managing Risk ManagementHowever, old habits die hard: According to the 2015 Black Hat Attendee Survey (PDF), nearly three quarters (73 percent) of top security professionals think it is likely that their organizations will be hit with a major data breach in the next 12 months. One of the frustrations voiced in the survey links back to the fact that many organizations are still focusing more on compliance rather than a risk-based approach to security. This negatively impacts a company’s security posture because this approach takes time and resources away from activities needed to ensure systems are secure and protected.

Meanwhile, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s consider the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.

Risk Culture

When implementing risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.

Risk Management Perceptions

Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.

Risk Technology

Instead of relying on employees to implement risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of a technology-based system. Pitfalls to look out for include integrating the necessary tools and techniques in a holistic manner and managing these at an enterprise level. Other alternatives, such as implementing Governance, Risk, and Compliance (GRC) processes using outside consultants and traditional GRC solutions, often require extensive customization that can result in months, if not years long rollouts.

A recent white paper by global advisory firm Enterprise Strategy Group (ESG), entitled “Beyond GRC: SRM and the Move to Integrated Risk Management”, found that a majority of respondents view the traditional mix of GRC systems as inflexible, slow, and incapable of delivering on the promise of automating risk management processes. In fact, nearly 78 percent of the enterprises surveyed are in the process or planning to replace these systems with advanced Integrated Risk Management platforms. There stated goals include increasing operational efficiency and audit accuracy, streamlining remediation, gaining improved visibility into enterprise risk posture, and ultimately making better investment decisions.

Organizations that address the above mentioned inhibitors to risk management head-on, can significantly reduce the time it takes to produce risk profiles; shorten the policy control process; involve all required subject matter experts via a centralized, standardized collaboration system; achieve tremendous overhead savings by automating risk assessment efforts; and increase credibility with management, regulators, and boards of directors. Ultimately, they can use their knowledge of risk to optimize business investments and performance, while achieving and often surpassing their corporate budget objectives.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.