Sounds familiar, doesn't it? And it's funny how that same description works for both the IT security pros and the quarterback. Except the quarterback understands the risks and is fully prepared to deal with them. Are you?
As the lines blur between IT operations, security and compliance, risk management has emerged as the pivotal area from which those three organizational requirements can be addressed and optimized. In essence, if you can effectively manage risk, then IT operations run smoothly, and security and compliance simply fall into place.
In this article, we look at risk from a threat perspective: How to discern and manage risk by understanding your security and compliance posture in relation to the threats you face. Only by being able to assess threats as they materialize and/or evolve can you have any idea as to the risks posed to your business at any given time.
Let's continue with our football analogy and the menacing threats at hand.
Gaining a Threat Perspective Sure Beats Getting Your Head Knocked Off
Football gives us vivid illustrations of the importance of threat management, and the absolute need to view security from a threat-based perspective. If you're a football fan or you read The Blind Side or saw the movie, then you know that the position of Left Tackle is vitally important when it comes to protecting the quarterback. That's because he protects the right-handed quarterback (which describes nearly all of them) in his blind spot on the left side of the field-keeping him from getting knocked down before he knows what hit him. And when the quarterback does get hit from the blind side, everybody knows who's to blame. There's nowhere for the Left Tackle to hide.
The same can be said about IT security practitioners. In fact, they carry a burden as big as the entire offensive line. They must be acutely aware of the threats that are lined up against them at all times. And if a hostile foe slips through, everyone knows where the buck stops.
And yet, mind-boggling as it may seem, for many IT professionals today, threats aren't top-of-mind. Instead, regulations and compliance are grabbing mindshare and stealing valuable time away from proper threat assessment and risk management. This is certainly understandable, as the possibility of getting hit with huge fines for failure to comply with government regulations is an urgent, tangible threat. But concentrating on regulatory compliance instead of threats and vulnerabilities can be counter-productive to say the least. You can wind up passing audits with flying colors even as ingenious new threats are worming their way into your enterprise and making yesterday's regulations obsolete.
Stuxnet is a game-changer in that it can reprogram industrial control systems and grant hackers control of critical infrastructures. There's a lot of speculation as to who perpetrated the deed, but that's not important. The Stuxnet takeaway is that risk management from a threat perspective is paramount. IT security teams need to stay apprised of all threats at all times. True, even the best threat analysis and research can't prevent complex threats such as Stuxnet from attacking. But at a minimum, they can mitigate the damage-to systems and reputations.
Increase Your Visibility
You need to be able to see everything that contributes to the risk equation: threats, asset criticality, vulnerabilities and in-place countermeasures. Effective risk management depends on real-time, end-to-end knowledge of all of these factors. Only when you have this visibility can your company begin to fully understand the risks you face and optimize security controls and what can be used to effectively counter them. This level of visibility also lets you prioritize security efforts while eliminating the manual and time-consuming process of correlating threats to critical systems.
Why is this so important? Let's say there's a new emerging threat, but you don't know what defenses are deployed on each of your systems. How do you then know which systems are at risk to this specific threat? How do you know where to focus your IT efforts?
Raise Your IT Security IQ
Forgive me if I sound like a broken record, but IT security pros must view enterprise security from a threat perspective. This requires developing a comprehensive, proactive, sustainable strategy for gaining visibility of threats and your in-place countermeasures. Then, controls must be put in place that allow IT staff to evaluate threats and assess risk, identify and classify systems, and prevent exploitation of vulnerabilities.
When you're looking to invest in security infrastructure technologies, make sure your solution provider offers a constant stream of threat-based research. Only with information based on up-to-the-minute global threat research and reconnaissance can you make intelligent, informed, risk-based decisions on where and when to commit resources. Very few IT security vendors offer this level of assistance, but it's well worth determining which vendor offers it before putting any of them on a short list.
Concentrate Your Efforts
Ideally, a centralized management console will be the centerpiece of your security environment-one that provides single-pane awareness of your risk, security and compliance posture. This console should also be able to integrate all your various countermeasures and other security-related products whether they are based on products from the same vendor or multiple vendors.
Automation is also key. With an IT environment that automatically adjusts to the evolution of threats, your staff won't have to be in constant fire-drill mode. And as new threats emerge, you'll be able to quickly adapt to reinforce your digital boundaries, preventing holes from opening up.
Taking these steps can dramatically improve your organization's security posture. What's more, when risk management is optimized, IT security operations run without disruption and compliance naturally falls in line.
Then Declare Victory?
Not exactly. Unfortunately, there's no endgame here. No exit strategy. Efficient, effective risk management is an ongoing endeavor. Forever. Forgive the sports metaphor again, but the alternative is a porous front line and woefully inadequate protection-the kind that, to put it bluntly, can get you sacked.