New risks must be valued

Share this article:
New risks must be valued
New risks must be valued

IT trends –cloud, social networking and BYOD – are making the practice of security management complex, and are forcing organizations to shift to a risk-management perspective.

The purpose of risk management is to better enable smarter decisions. Good risk management must underpin all security strategy, and yet it is often overlooked in the pressure to “do something.” Communicating risk to senior stakeholders is challenging, and vague categories of “high, medium, low” risk can undermine, rather than support, security programs. 

Today's security teams cannot be seduced by the “sexy” aspects of risk. Worrying about APTs may get you a meeting with the board, but failures in the basics of patch management, protection against SQL injection, privileged user monitoring and the like, will be the cause of breaches and negative publicity that undermine corporate reputations.

Getting a handle on the basics is difficult today. While adopting cloud or BYOD can have a great impact on IT costs, employee productivity and even worker morale, there is little to nothing in the way of data to understand what the risks are, let alone how serious they may be. 

There are a lot of vested interests in both talking up and playing down the risks of all of these industry trends, making the problems to risk management that much harder to overcome. So, organizations are left to puzzle out the right approach. Businesses, IT organizations, vendors and industry bodies need to be both open and collaborative in the way we build risk management capabilities. Failure to do so will damage the ability of businesses to be competitive, for government agencies to serve their constituents and for IT vendors to retain the trust of their customers. And those are the real risks.

Share this article:

Sign up to our newsletters

More in Opinions

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.

When it comes to cyber attacks, predictions are pointless but preparation is key

When it comes to cyber attacks, predictions are ...

Rather than predicting the next lightning strike it is far better to pay attention to the areas we already know are vulnerable.