News

06:25 PM
Connect Directly
RSS
E-Mail
50%
50%

Tenets Of Risk-Based Security Management

Don't get bogged down in choosing a framework.

A risk-based approach to security shows the cost of mitigating risks relative to the perceived value of an asset, in the context of vulnerabilities, threats, and potential impact on the business. Sounds straightforward enough, and our survey respondents talk a good game: 41% say a main goal of their IT risk management programs is to ensure IT alignment with business needs.

From our experience, however, there's some wishful thinking going on. Rarely do the companies we work with even have a comprehensive asset list, let alone any consistent risk-based analysis of assets or controls. In addition, a plethora of risk-based models--AS/NZS ISO 31000:2009, ISO 27005, COSO, OCEG--get caught up in religious wars over which is best. Within these models is a variety of approaches, including data-centric security; enterprise risk management; information risk management; and governance, risk, and compliance.

The devil really is in the details. To base a security management approach on risk, you must know how any given asset is valued, the likelihood that a threat will exploit a vulnerability, and the impact to the business if a given asset were to be compromised. And you must accept that not everything can be fixed. When managing risk, IT has several mitigation options to consider: reduce, transfer, avoid, or accept. Be realistic. For the time being, you may have to transfer, avoid, or accept risks that you would prefer to reduce. This is where being able to assess the value of a service and the costs of possible controls is invaluable.

Most of all, don't get bogged down. All of today's risk standards have the same core components. Fighting over which to use ensures just one thing--that you won't make progress. You can always change later if it turns out an approach is too complex or another framework is more relevant for your company. Just pick one and get going.

Go to the main story:
Rise Of Risk Management
Continue to the sidebar:
Risk Management In A Box?

Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed