IT trends –cloud, social networking and BYOD – are making the practice of security management complex, and are forcing organizations to shift to a risk-management perspective.
The purpose of risk management is to better enable smarter decisions. Good risk management must underpin all security strategy, and yet it is often overlooked in the pressure to “do something.” Communicating risk to senior stakeholders is challenging, and vague categories of “high, medium, low” risk can undermine, rather than support, security programs.
Today's security teams cannot be seduced by the “sexy” aspects of risk. Worrying about APTs may get you a meeting with the board, but failures in the basics of patch management, protection against SQL injection, privileged user monitoring and the like, will be the cause of breaches and negative publicity that undermine corporate reputations.
Getting a handle on the basics is difficult today. While adopting cloud or BYOD can have a great impact on IT costs, employee productivity and even worker morale, there is little to nothing in the way of data to understand what the risks are, let alone how serious they may be.
There are a lot of vested interests in both talking up and playing down the risks of all of these industry trends, making the problems to risk management that much harder to overcome. So, organizations are left to puzzle out the right approach. Businesses, IT organizations, vendors and industry bodies need to be both open and collaborative in the way we build risk management capabilities. Failure to do so will damage the ability of businesses to be competitive, for government agencies to serve their constituents and for IT vendors to retain the trust of their customers. And those are the real risks.