Identify risks from the business perspective.
Traditional risk management practices have a very technical focus, displaying risks for servers, IP addresses, and other elements seldom understood by the business. But, according to a recent survey, nearly half of respondents said that they want to view risk by the business application, as opposed to only 30 percent who want to see their exposure by network segment, and 22 percent by server or device. This is important because it not only allows security teams to more effectively communicate with business owners, but it also prepares and encourages them to "own the risk."
One method of achieving this application-centric approach to risk management is to integrate security policy management with vulnerability scanners that are already in use in the organization. By viewing risk by application, it allows the organization to make better risk decisions with the business in mind.