"Security risk management" (SRM). It's one of those industry catch phrases that can mean all things to all people. To operations professionals, it means making sure devices are compliant with internal policies and regulations, so that the network can be kept alive. To auditors, it's all about compliance with external regulatory pressures and internal polices. To IT security, the focus of SRM is keeping vulnerabilities and threats to a minimum on critical devices. And, to business owners, it means business continuity—keeping the enterprise going, so that it makes a profit and thrives. After, all isn't everyone interested in that?

For business owners, the real reason for security risk management is to protect data—the lifeblood of the enterprise. Protecting valuable data becomes all-important, so it's incumbent on all parties involved in IT and security to take on this new challenge. The CIO, security officers, internal audit, and IT operations staff will see that they need to embrace a new cooperative agenda that puts IT risk management at the forefront of planning, prioritizing, and managing risks to business resources.

Successful risk management means IT operations and IT security are aligned to business needs. It's critical that both departments cooperate with the business to determine what truly represents a risk and how the risk can best be mitigated. By integrating IT goals to business goals, you can derive an overall integrated enterprise risk management framework that includes all levels of the organization and all aspects of the business. It's the only way to ensure that you are making solid IT risk management decisions.

The level of risk tolerance for IT security is defined by the organization's overall tolerance for risk. Business owners are often prone to accept substantially more risk when they don't have a clear picture of their true exposure. Often, when these decisions are presented back to business mangers in quantifiable metrics, they find that they are more risk averse than they previously thought. For example, if a business unit owner refuses to allow IT security to implement a remediation because it may mean that they will temporarily be unable to accept online orders, the business unit owner needs to understand what will happen if IT doesn't install the patch and mitigate the risks. The risk of not implementing the remedy is not just that they fall out of compliance. It could also mean that they would fall out of support parameters with the operating system or application vendor. And, of course, there's the risk that the system could be compromised and the precious data housed within it stolen or exposed. That, in turn, could lead to fines and loss of customers, as well as hurting the reputation of the company through negative publicity.

There are a number of steps involved in mapping out an enterprise risk management strategy. The first step is to evaluate the relationship between IT security risk levels and business costs. Executive management—in both the business camp and the IT camp—needs to define an acceptable level of risk for the organization as a whole. IT operations and security management then need to look at the different security tools that provide risk information. Finally, IT management needs to weigh the value of their risk information against the cost to get and analyze that information from the different security tools.

When defining a risk management strategy for your enterprise, it's critical to take into account these key requirements:

1. Early notification of new vulnerabilities
2. Asset discovery and determination of which are most critical and which are vulnerable
3. Prioritized remediation activities
4. Compliance monitoring
5. Reporting of risk levels and costs to business executives

If each additional technology that can be implemented and integrated into one cohesive dashboard improves the risk posture of your enterprise, so much the better. The technologies themselves don't change risk. They do, however, help your company lower its risk exposure to an acceptable level by providing mitigating controls. With the correct integration of solutions, the whole is greater than the sum of the parts. In other words, the benefits of multiple individual solutions—if they are integrated—yield more risk reduction than all of the products working alone.

The next level of integration is very near. In this vision, a network-level protection strategy can communicate with endpoint security products and improve overall protection. Network-layer intrusion protection systems safely allow malicious traffic to pass, knowing that the properly configured agents on the endpoint will provide the requisite protection and decreasing the latency to beneficial traffic on the network. Outside the enterprise, you can enforce the same level of protection through the endpoint agents without requiring the network layer. This universal policy enforcement allows for improved management of the end device, improved availability to the business, and comprehensive, accurate compliance reporting.

A successful security risk management team will plan the processes, policies, and controls for an 18-month period. This time window bridges annual budgeting cycles, includes quarterly reviews against changing business requirements (including regulations) and security threats, and allows more predictable allocations of human and capital assets. An 18-month plan reinforces the view that security risk management is a long-term process that requires commitment that rises above individual or group preferences, enthusiasms, and fire drills. The plan should, above all, take into consideration the needs of the business during those 18 months. IT chiefs should present the plan to management to ensure that the priorities are aligned. And, they need to get agreement from all stakeholders. Periodic review allows for midcourse corrections and alterations with full visibility.

Security risk management is a process, not a product that you can buy. It's a way of supporting business that helps organizations proactively identify and eliminate exposures, block attacks, manage compliance, and implement remediation strategies. IT security becomes just another aspect of the business' overall risk management and mitigation strategies. Through a consistent, unified approach to policy, assessment, protection, and compliance processes, your organization can confidently go down a path where appropriate business protections are applied and security risk becomes manageable. Efficient management of this risk will deliver better protection for the lifeblood of your business—intellectual capital and strategic competitive advantage.