Risk: Security's new complianceFor many years, complying with government standards and industry regulations was seen as an obligatory check box in the lengthy list of IT security tasks. However, recent changes in the security ecosystem are leading to a rethinking of this approach.
2011 saw a record number of cyber security attacks and associated breaches with very public disclosures including Citigroup, the International Monetary Fund, RSA (the security division of EMC), Lockheed Martin, Google, Sony, ADP and NASDAQ. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security – often with discovery after the fact.
The 2012 Global State of Information Security Survey, which was conducted by PwC surveying more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared and have security policies in place that are able to confront an advanced persistent threat (APT). This does not come as a surprise, considering three years of budget constraints that led to degradation in core security capabilities
Considering the current economic climate and impasse in Congress, a dramatic change in prior years' budget limitations across the commercial and public sectors appears unrealistic; however, the increased threat levels will lead to a budget realignment toward security. Security professionals will be asked not to deploy additional security solutions, but instead to find better ways to leverage existing investments in security tools. The revised objective of many organizations today is to develop a risk-based rather than compliance-driven approach to determining the business' investment decisions.
According to a 2011 survey, more organizations are focusing on managing risk, not just security. In fact, 57 percent of survey respondents had already shifted to a risk-based approach, employing a formal enterprise risk management process or methodology. 61 percent of respondents indicated that they will put even more value on a risk-driven strategy going forward.
This data is complemented by independent market research studies, which show that more organizations recognize that instead of looking at governance, risk, and compliance (GRC) from a centralized perspective, it is more efficient to let business operations drive these efforts as that's where the organization's risk knowledge resides. In this context, the market sees the emergence of the role of the business information security officer (BISO) to reflect the fact that regional resources are the real subject matter experts when it comes to risk associated to particular business units.
Making risk visible, measurable, and actionable
The dilemma that organizations are facing is that their current security and vulnerability measures are unable to keep up with evolving threats, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business. Thus, it is often impossible to make risk visible, measurable, and actionable.
However, as mentioned before, using real time risk analysis is essential to optimize business performance and make better investment decisions. Therefore, organizations should explore software tools that are able to aggregate data from existing security tools and information management applications. These tools not only provide advanced reporting capabilities, but interconnectivity to ensure that remediation actions can be triggered and followed through easily. At the same time, the tools are tying compliance and security automation together, thereby extending the traditional GRC capabilities. Leveraging these tools allows organizations to implement a holistic view of security, while pursuing automation of the GRC process. This approach is being labeled “security risk management,” rather than “GRC” and yields the following benefits:
- Reduces risk by making threats and vulnerabilities visible and actionable; enables organizations to prioritize and address high-risk security vulnerabilities before breaches occur
- Reduces cost by streamlining processes to leverage automation and reduce redundant, manual efforts
- Provides reports and metrics to measure effectiveness and efficiency