How to Get IT, Security, and the Business on the Same Risk Page

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7
Next How to Get IT, Security, and the Business on the Same Risk Page-6 Next

Leadership needs to know the size, the scope and the scale of risk in order to give guidance on how to manage it. Organizations need to develop a clear picture of the top risks, and how they translate down through a hierarchy to lower-level controls with an easy-to-understand risk model. You’ll need to get agreement on classification schemes to provide context. Leverage best practice control frameworks and international standards and assess as many aspects of the risk model as possible.

Use conversations with leadership to identify threat communities and their most likely attack vectors, motivations to access various assets, and skill levels. Model threat frequency and determine if controls on assets provide the right level of resistance to threats. Provide default ranges to risk analysts to help them in their analysis. Encourage risk analysts and subject matter experts to stay current with emerging threats and control standards, and revisit models frequently.

IT, security and the business have important shared objectives: 1) raise stakeholder value, 2) drive performance improvements, 3) ensure compliance across activities and operations, and 4) protect the organization, its assets and its people.       

We’ve seen breath-taking and awe-inducing changes over the last few years – the rise of a digital universe that is global, social, mobile and interconnected; the double-edged sword of innovation and rising risk profiles; the flight of business to the cloud; and IT/OT transforming to the orchestrator model. New technologies bring new risks, and it is becoming clear that there are growing disconnects between IT, security and the business on what this really means.

In the midst of all of this change, leadership, senior management and employees alike feel extreme pressure from customers, regulators and suppliers, all of whom demand explanations as to how their risks are being identified, managed and controlled. This can be a real challenge in the midst of increased threats, regulatory complexity and pressures to demonstrate control over material risks. In order to both support the strategic objectives of our organization, and just plain do our job in keeping critical processes running and sensitive assets protected, we need to build a common language and discussion framework to understand risk appetites and scenarios, and also identify and discuss risks in a context that the board and business can understand and use in decision making.

Here are five fundamental questions, identified by Yo Delmar, vice president of GRC solutions at MetricStream, a provider of governance, (IT) risk and compliance (GRC) solutions, that we need to answer in order to get IT, security and the business on the same page with a 360-degree view of risk. Working with siloed views of risk is not an option anymore – the stakes are just too high for us to continue forward with the status quo.


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

Social14-190x128.jpg 10 Ways to Improve Your Social Media Security Policy and Posture

When phone calls, video conference information, pictures, chat logs, etc. are all stored in a central location via social media, a potential hacker has access to just about everything, quickly and easily. ...  More >>

Security120-290x195 5 DDoS Myths Debunked

Unearth the real story behind five commonly held myths about distributed denial-of-service attacks. ...  More >>

Security119-190x128 8 Tips for Ensuring Employee Security Compliance

IT security ultimately depends on making sure employees use the appropriate tools and comply with policies designed to protect them and their data/applications. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.