How to Get IT, Security, and the Business on the Same Risk Page

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7
Next How to Get IT, Security, and the Business on the Same Risk Page-3 Next

The business owns risk. Too often we see IT and security professionals signing off on risks that really belong to the business. It is often difficult to get the business to own or sign off on risks that have security or technology components that they simply do not understand. Sometimes we believe we have a separate set of "security risks" or "technology risks" that when viewed in the context of the business, are more like control failures, threats or vulnerabilities. But traditional risk managers like to see risks described in terms of their potential business impact – probable loss magnitudes – and in IT and security that’s often difficult to do.

For example, how do we tie vulnerability due to an unpatched piece of software or an access control violation to probable loss for the business? It’s easier when we talk about availability – we can often measure the effect of an outage on revenue if, say, the e-commerce site is down. But measuring the impact of a potential breach due to one of 10,000 vulnerabilities is more tenuous. It’s critical to map threats and vulnerabilities unique to security and IT to business processes, impacts and thresholds in order to move the business to take rightful ownership.

IT, security and the business have important shared objectives: 1) raise stakeholder value, 2) drive performance improvements, 3) ensure compliance across activities and operations, and 4) protect the organization, its assets and its people.       

We’ve seen breath-taking and awe-inducing changes over the last few years – the rise of a digital universe that is global, social, mobile and interconnected; the double-edged sword of innovation and rising risk profiles; the flight of business to the cloud; and IT/OT transforming to the orchestrator model. New technologies bring new risks, and it is becoming clear that there are growing disconnects between IT, security and the business on what this really means.

In the midst of all of this change, leadership, senior management and employees alike feel extreme pressure from customers, regulators and suppliers, all of whom demand explanations as to how their risks are being identified, managed and controlled. This can be a real challenge in the midst of increased threats, regulatory complexity and pressures to demonstrate control over material risks. In order to both support the strategic objectives of our organization, and just plain do our job in keeping critical processes running and sensitive assets protected, we need to build a common language and discussion framework to understand risk appetites and scenarios, and also identify and discuss risks in a context that the board and business can understand and use in decision making.

Here are five fundamental questions, identified by Yo Delmar, vice president of GRC solutions at MetricStream, a provider of governance, (IT) risk and compliance (GRC) solutions, that we need to answer in order to get IT, security and the business on the same page with a 360-degree view of risk. Working with siloed views of risk is not an option anymore – the stakes are just too high for us to continue forward with the status quo.

 

Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

 
More Slideshows

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

IT security careers The Most In-Demand Security Jobs and How to Get Them

Security professionals are in demand right now, and entry-level security jobs generally fall into either an engineer or analyst role. Find out more about required skills and career paths. ...  More >>

142x105itbeusasecurity2.jpg 9 Predictions for Cybersecurity’s Role in Government and Politics in 2017

Experts predict how cybersecurity will affect and involve our government, policies and politics in 2017. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.