IT’s New Role: Defining and Managing Risk

IT’s New Role: Defining and Managing Risk

The change demands a collaborative approach to prioritize threats - and pays off in achieving compliance, too.

Imagine taking a scattershot approach to your personal financial investments the way some companies-maybe even yours-manage their IT security risks. You would make investments without regard to your tolerance for risk. You would listen to market noise that has little impact on a minor stock's performance, causing you to miss the signals that indicate real trouble at a company in which you're heavily invested. You would lack basic protections, such as triggering a sell order if a stock falls below a certain value. And you might not have any confidence that you correctly accounted for your investments before you sign your tax returns.

That's no way to run your personal finances. And it's certainly not a model for identifying, assessing, and managing the impact of IT security risks to your business. That's especially true today. Security threats are multiplying and executives who fail to meet compliance mandates, such as Sarbanes-Oxley, potentially face bad publicity and other penalties.

Stop Managing Security. Start Managing Risk.
The way forward lies in a security risk management (SRM) approach that protects your company from the most severe threats to critical IT systems and operational processes. SRM helps your organization understand its assets and analyze the vulnerabilities it must address. Security risk management also facilitates internal and external compliance initiatives. It enables your organization to enforce policies that relate to the integrity of customer data, the configuration of corporate applications and databases, and the accuracy of financial reports. Companies that take a systematic approach to SRM reap additional benefits: operational efficiencies that lead to better management of resources and reduced costs.

It's up to all the parties involved in the IT operations and security mission to demonstrate that they can take on the demands of this new challenge. Led by the CIO, security officers and IT operations staff must embrace a new cooperative agenda that puts IT at the forefront of planning, prioritizing, and managing risks to business resources. There's not enough manpower these days for a "throw-it-over-the-fence" security strategy that attempts-and often fails-to protect everything, without considering which threats put the business in greatest jeopardy. There's no time to manually dig through reams of information flowing out of disparate security and compliance tools to determine which data and assets need priority protection. 

Moving from managing security to managing risk requires the IT organization to change its mindset and to move away from reacting to each new threat with point solutions. "Security risk management is a process, not a product," says Michelle Johnson Cobb, group product marketing manager at McAfee. SRM is equally about management and measurement. It melts the boundaries that separate security and compliance initiatives, recognizing that cooperative processes keep an organization secure and compliant.  

"How to implement SRM will differ based on an organization's size, its industry, its key assets, and the external or internal regulations to which it is accountable," says Rachel Ackerly, senior manager of product marketing at McAfee. Large public companies, for instance, must often meet an alphabet soup of compliance mandates. A small retailer may be concerned only with internal guidelines for customer data protection.

At the heart of SRM is the recognition that your organization cannot respond to every threat, configuration error, or vulnerability at the same breakneck pace. Instead, you must determine what your most critical assets are and how to protect them. And, by extension, you must determine which risks may be accepted or immaterial.

In this new role, IT is empowered to make decisions that match the company's own rationale for minimizing risk and maximizing business benefits. One e-commerce vendor may put its customer database at the top of its list of must-protect assets, since a breach of such data will shake customer confidence. Yet another company may give that priority to its order processing system, concerned that if it succumbs to a vulnerability, its customers will migrate to another merchant-and perhaps never return.

By bringing together both threat prevention and compliance management, McAfee takes a unique, integrated approach to SRM. Key components for risk analysis and compliance management are McAfee® Foundstone® and Preventsys®. Foundstone Enterprise provides critical asset and vulnerability information to identify and prioritize risks. Preventsys consolidates vulnerability, configuration, and threat data from third-party tools to automate security compliance reporting.

These products build upon a standardized process to help enterprises automate manual security and compliance efforts. The process requires you to:

• Understand your assets, and their importance to the business.
• Analyze risks, based on your assets' vulnerabilities and the threats that may exploit them and what levels of risks you can accept.
• Choose the right level of protection-remediate immediately or block as an interim step.
• Manage compliance, to report against both internal and external security policies, processes, and procedures.

Given the great expense that large companies, in particular, incur to interpret and create compliance policies, it's important that they be able to check performance against baselines. In smaller, private businesses, the need to comply with regulations may bear an inordinate burden compared to their size.
 
It's a risky world, but someone has to manage it. Like investors with a knack for picking stocks before they're officially hot, IT operations and security professionals who take on the SRM challenge now stand to reap rewards as they protect their business advantage with a proper balance of efficiency and effectiveness.
 
Additional Resources:

Click here to learn more about McAfee's security risk management approach.

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved.