Connect with us

Hi, what are you looking for?


Network Security

Understanding IT Risk from the Business Perspective

Most Organizations Lack the Tools and Processes to Assess and Prioritize Risks and Vulnerabilities from the Business Perspective…

Most Organizations Lack the Tools and Processes to Assess and Prioritize Risks and Vulnerabilities from the Business Perspective…

Recent security breaches at major retailers such as Target, Neiman Marcus and Michaels Stores have given further visibility of and placed a greater urgency around IT risks that have a direct impact on the business. For many years, information security has taken a back seat to other corporate priorities, but security has evolved — and moved up the corporate ladder — from simply restricting access to a few monolithic systems, to enabling safe access in a business environment that is dynamic, global, and always on.

Security is no longer just a technical issue that can be managed in bits and bytes; it’s a core business issue. Modern networks and data centers consist of many complex and intertwined business applications — from commercial off-the-shelf applications such as SAP and SharePoint, to homegrown applications performing custom business logic, to 3rd party cloud-based services — all are critical for the business to run.

A security breach or an outage to a business application or an entire network has a direct impact on a company’s bottom line. Security has to be effective enough to minimize risks to the business but also must enable the business to be agile in order to stay relevant and competitive. This requires a different approach to vulnerability management and a shift in the way security is viewed.

Block Showing RiskThe traditional risk management approach is very technical, often displaying risks for servers, IP addresses, and other elements that are rarely understood by the business. How can a business owner make a sound risk remediation decision if the risk isn’t truly understood? According to Gartner, “risk and the accountability for risk acceptance are – and should be – owned by the business units creating and managing those risks.”

But most organizations today lack the tools and processes to assess and prioritize risks and vulnerabilities from the business perspective and end up defaulting to one of these approaches:

1. Severity – rushing to fix the most critical vulnerability first (e.g. based on CVSS score) is problematic. Do you really need to rush and fix a critical vulnerability in a non-mission critical server that houses non-confidential data?

2. Threat Path Analysis – trying to predict which vulnerabilities a hacker may use to make multiple “hops” required to reach a critical asset may look great on paper. But in reality, it requires a lot of overhead (as if security professionals do not have enough work). The end result is often disconnected from how attacks are actually conducted and from what business stakeholders value the most. As recently noted (PDF) by the Ogren Group, “organizations reduce the risk of disclosure events by assuming critical resources are exposed to all threats, regardless of threat paths or how many hops an attack must take before finding a vulnerable resource.”

Advertisement. Scroll to continue reading.

3. Asset Tagging – tagging multiple assets and associating them with a line of business works well, until things start to change that is (which is just about every day). As provisioning of new servers is typically carried out by different teams that do not include the risk and vulnerability teams, new servers are not tagged to their associated business lines. This quickly makes asset tagging data unreliable.

So what does it take to truly evolve to an application-centric vulnerability approach, where vulnerabilities are viewed and prioritized by business application, and not just individual servers? For starters, you need to get business stakeholders on board – starting with senior executives. Associating risks with a line of business enables security teams to more effectively communicate with their business and application owner counterparts. This provides organizations with extended visibility that enables them to be accountable and truly “own the risk”.

From a technical perspective, you need to be able to map out your applications, along with their complex connectivity requirements, and tie this process to a sound change management to ensure continuous data accuracy. This is easier said than done – but it is with good reason that in a recent survey of 240 nearly half of the responding organizations want to prioritize network vulnerabilities by business application (by far the most popular response). Having this type of visibility elevates security and wins it a seat at the highest of tables – and the people at this table speak in business terms, not CVSS scores.

Related Reading: Time to Rethink Vulnerability Management

Related Reading: Preparing for the Inevitable Data Breach: Discussion

Related ReadingAll Data Is Not Valued Equally

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...