New risks must be valued

Share this article:
New risks must be valued
New risks must be valued

IT trends –cloud, social networking and BYOD – are making the practice of security management complex, and are forcing organizations to shift to a risk-management perspective.

The purpose of risk management is to better enable smarter decisions. Good risk management must underpin all security strategy, and yet it is often overlooked in the pressure to “do something.” Communicating risk to senior stakeholders is challenging, and vague categories of “high, medium, low” risk can undermine, rather than support, security programs. 

Today's security teams cannot be seduced by the “sexy” aspects of risk. Worrying about APTs may get you a meeting with the board, but failures in the basics of patch management, protection against SQL injection, privileged user monitoring and the like, will be the cause of breaches and negative publicity that undermine corporate reputations.

Getting a handle on the basics is difficult today. While adopting cloud or BYOD can have a great impact on IT costs, employee productivity and even worker morale, there is little to nothing in the way of data to understand what the risks are, let alone how serious they may be. 

There are a lot of vested interests in both talking up and playing down the risks of all of these industry trends, making the problems to risk management that much harder to overcome. So, organizations are left to puzzle out the right approach. Businesses, IT organizations, vendors and industry bodies need to be both open and collaborative in the way we build risk management capabilities. Failure to do so will damage the ability of businesses to be competitive, for government agencies to serve their constituents and for IT vendors to retain the trust of their customers. And those are the real risks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in Opinions

Heartbleed, Shellshock and POODLE: The sky is not falling

Heartbleed, Shellshock and POODLE: The sky is not ...

While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.