New risks must be valued

Share this article:
New risks must be valued
New risks must be valued

IT trends –cloud, social networking and BYOD – are making the practice of security management complex, and are forcing organizations to shift to a risk-management perspective.

The purpose of risk management is to better enable smarter decisions. Good risk management must underpin all security strategy, and yet it is often overlooked in the pressure to “do something.” Communicating risk to senior stakeholders is challenging, and vague categories of “high, medium, low” risk can undermine, rather than support, security programs. 

Today's security teams cannot be seduced by the “sexy” aspects of risk. Worrying about APTs may get you a meeting with the board, but failures in the basics of patch management, protection against SQL injection, privileged user monitoring and the like, will be the cause of breaches and negative publicity that undermine corporate reputations.

Getting a handle on the basics is difficult today. While adopting cloud or BYOD can have a great impact on IT costs, employee productivity and even worker morale, there is little to nothing in the way of data to understand what the risks are, let alone how serious they may be. 

There are a lot of vested interests in both talking up and playing down the risks of all of these industry trends, making the problems to risk management that much harder to overcome. So, organizations are left to puzzle out the right approach. Businesses, IT organizations, vendors and industry bodies need to be both open and collaborative in the way we build risk management capabilities. Failure to do so will damage the ability of businesses to be competitive, for government agencies to serve their constituents and for IT vendors to retain the trust of their customers. And those are the real risks.

Share this article:

Sign up to our newsletters

More in Opinions

An IT lens on data breach response

An IT lens on data breach response

This heightened awareness regarding data breach response time has created an interesting dynamic for security professionals.

Ensuring your developers love - or at least don't hate - security

Ensuring your developers love - or at least ...

The relationship between development and security doesn't need to be hostile, and there are ways to engage developers more with security.

Backing diversity lowers the bar?

Backing diversity lowers the bar?

Many groups have striven to cultivate a more welcoming workplace, says Alison Gianotto.