Is an IT risk management program strategic or tactical?

The duties of CIOs, CTOs and CISOs are morphing from mainly managing a vast network of IT assets to being more strategic and transformational. Until recently, the computing systems being managed have been viewed not only as an essential resource, but also as an operating cost needing to be controlled. Today technology is increasingly being recognized as a vital tool in corporate strategy.

With the changing business paradigm of increased web-enabled applications, integration, interdependency, openness and accessibility upon which today's e-business has come to depend, CIOs must implement strategies to deal with evolving and threatening IT security and compliance challenges. This means information security is no longer simply an expense; it is a strategic element that if implemented and managed correctly can provide a competitive advantage.

In spite of investing millions of dollars to purchase sophisticated solutions to protect sensitive or valuable corporate and customer data, most organizations would receive a failing grade in their ability to manage IT risk and improve overall enterprise risk.

Almost daily we read about security breaches and scams that result in major service disruption, or ID and credit card theft that cost companies millions of dollars. In fact, companies are losing electronic records at a rate of six million a month this year in the United States, a third of which are directly attributed to hackers or information theft. While several states like California have mandatory disclosure laws, the reality is that for every breach that is reported there are several others that are kept under wraps for fear of customer and shareholder dissent.

Most companies are content with implementing tactical security solutions to reactively address increasingly sophisticated attackers and security breaches. But the reality is that what used to be considered good enough is no longer sufficient. What is required to proactively measure, manage and mitigate IT risk is an over-arching management umbrella that provides automation and security intelligence to assess the comprehensive security and risk posture of IT infrastructure.

When best-of-breed isn't best:

As security and IT risk management challenges evolved, organizations have invested heavily in specialized log, vulnerability, configuration, asset and performance management point solutions. While most of these so called best-of-breed point solutions do a decent job within their selected silo, they unfortunately miss the mark when trying to build an integrated IT risk and security best practices program.

Each of these point solutions creates a unique information silo, which leads to an IT management nightmare of disconnected information and duplication of efforts by networking and security teams. And, since IT staffers are forced to look at each silo of information individually, they lack the ability to automatically connect the dots to identify significant patterns and anomalies or get to the root cause of a breach. Such delay leads to an undetected breach that could prove extremely costly – both financially and in terms of reputation.

These disconnected toolsets are inherently complex and lack the ability to integrate the information necessary to better manage IT risk. A better approach is a security and risk management platform that minimizes risk by automatically connecting the dots and proactively detecting a breach.

Platform approach to IT risk management:

Fortunately, better solutions are emerging. Security management tools are going through a transformation similar to that of network management tools many years ago. These new solutions are more strategic since they unify information from many disparate silos of information to automatically connect the dots through end-to-end correlation and policy management. They also segregate information as needed by various business units, thus helping to build a more strategic and collaborative IT risk management program.

Organizations that are on the fence about whether an IT risk management program is strategic need to look no further than a copy of the regulatory mandates to which they are legally bound. A businesses' ability to prevent, detect and respond to internal and external threats that could compromise the network or sensitive data is no longer simply an industry best practice exercise. Security is essential and protecting information assets is paramount. A comprehensive IT risk management program must be thought of as a fundamental strategic objective of any organization. This program must be pervasive throughout the organization and integrate all facets of the business that deal with corporate IT risk.

To provide insight into security and risk posture, the program must look to next-generation security and IT risk management solutions that can better integrate assorted information across the IT infrastructure. These solutions should also be evaluated on their ability to facilitate strategic security best practices. Organizations that have moved in this direction are already reaping the benefits, which include improved identification of security incidents, powerful auditing and reporting functionality, lower management costs and advanced capabilities that proactively address problems based on strategic IT risk assessment instead of tactical fire fighting.

Vijay Basani is CEO and co-founder of eiQnetworks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.