Seven steps to managing IT Risk

Came across this overview read from a Gartner research note recently. It lays out seven recommended steps managing risk.

• Implement a framework for risk assessment and mapping.
• Establish the responsibilities of risk managers with their areas of responsibility.
• Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
• Determine the threat level, and focus on those risks with the highest impact on performance.
• Establish levels of controls for processes commensurate with the perceived threat.
• Record and retain risk incident and near-miss information.
• Conduct periodic risk assessments to determine changes in the operations risk profile and assess control performance.

Great advice. These seven steps are precisely what IT-GRC solutions should help an Enterprise accomplish. They provide the construct (aka think configuration wizard) for establishing and maintaining a quality risk management program. If you have on your company priority list advancing the the risk mitigation/management capabilities or if you've recently been burned, take the time and check out some of our new product demonstration videos. We strive to be transparent around what we offer with our software. That's why our marketing isn't really "marketing" it's live product in action. Come check it out.

So now everyone is an IT GRC vendor

As a marketeer for a technology company, you work really hard to tease out the key points of differentiation and attempt to coin a segment that defines your being. IT-GRC (short for Information Technology Governance, Risk & Compliance) is a term that started gaining momentum about a year ago. At that time Gartner, Forrester, EMA and other research analyst firms started using it to describe exactly what Securityworks does. Next thing you know customers are achieving tangible results from these solutions and the press begins writing articles about it.

Then, along comes tangential segments that do 20-30% of what we do...now all of a sudden they are "IT-GRC" vendors since it's the new "hot" term.

Well, after all that hard work I have to simply say I love the candid article from Alex Handy over at Systems Management News. A couple quotes that say it perfectly...


When Jonathan Penn, research director at Forrester, walked around April's RSA conference, he was appalled by what he saw. “The vendors are destroying what's a very useful approach by claiming for themselves. If you're not an ITGRC vendor, just shut up,” said Penn.

“ITGRC is an incredibly valuable approach to security,” said Penn. “What I like about it is it's a good way to structure what IT does. But it's much more a practice than a product. The tools that manage things at a high level, those are the ITGRC products.”


We completely agree. No single product can encompass IT-GRC. Our product is a good foundation but what's so very important is the people, process and technology that mold around our product. This includes the integration points with other security products into a unified view of your overall security program, not those product calling themselves IT-GRC.

Evolution of IT Security to Risk; driving IT GRC acceptance?

Great summary by Michael Rasmussen of Corporate Integrity on the 2008 State of the GRC market was posted earlier this month.

I believe the title of one of the sections itself summarizes one of the biggest benefits of GRC, "GRC is About Organization Collaboration." He is 100% correct from my perspective - independent of the people, technology and process - GRC solutions are about using software automation to help enterprises collaborate to reduce their exposure to the big three buzz areas each of those letters in the acronym represent (Governance, Risk, Compliance).

Now, GRC solutions can't and won't solve these problems alone. They are part of an overall ecosystems of technical control products, best practice processes and people communication/expertise. You still need your Vulnerability, SIEM, IDS/IPS, Firewalls and other security products. You still need your COBIT, ISO, ITIL and other best practice processes. And of course, you still need the people who should know the overall business goals and priorities and then apply their expertise on how IT can help achieve those goals. GRC as mentioned before is the organization collaboration construct that can successfully bring all these complex areas together into a tight and cohesive Governance, Risk and Compliance strategy.

Another article I came across starts to highlight how some organizations are starting to elevate beyond operational security to strategic risk centric in culture. Tim Wilson over at Dark Reading just put out this great write-up yesterday titled; Market's Message to Security Pros: Adapt or Die.

-snip-
"...the question now is not how precarious the security manager's job is, but what it may evolve into, Schmidt observed. "As it becomes more about risk, security is not necessarily an IT problem. More and more, you see companies creating positions such as chief risk officer, who may report to a chief operating officer, and in some cases, the CSO might report to the [risk officer]."
-snip-

This trend points directly at GRC solutions that can provide the common construct to help all aspects of the organization collaborate. A decent analogy may be what ERP was to the CFO, GRC is to the CRO.

One last article that also points towards the trend around moving operational security tasks back into IT operations and thus security analysts evolving into internal Risk Consultants to the IT organization would be this blog from Trent Henry over at Burton Group. Once these "Risk Consultants" are created, GRC provides the collaborative platform to conduct their more strategic initiatives mentioned; policy, risk & compliance monitoring, assessment program development, etc.

Circumventing Enterprise Security Policies

Interesting article on how employees are circumventing IT Security Department policies.

This of course as we know exposes the company to IT GRC concerns (Governance, Risk & Compliance). A couple hard numbers that jumped out at me.

"80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user's identity and surfing habits from IT monitoring tools."

:...half of the enterprises studied by Palo Alto are supporting Tor or other methods for encrypted "tunneling" through the corporate network. Tunneling enables the user to bypass IT traffic enforcement mechanisms."

A comprehensive security policy starts from the top down with an IT-GRC solution. It then incorporates all the scoring, controls and assessment automation products into a unified view to help expose situations like those identified in this study. Once exposed and the risks understood, the priorities can be set to help quickly resolve these issues.

Nice GRC write-up and how it relates to log management initiatives

Anton wrote a nice piece, called "Unified GRC: Replacing a piecemeal response to compliance" for SC Magazine defining GRC and how it fits together with other areas of security and prevention management. The article, as expected, has a major slant toward Log Management, but it is a very good summary that also highlights other key capabilities / areas important to GRC.

Even though most security vendors are marketing IT Risk Management, many customers are beginning to realize there is this new breed of software products that compliments your vulnerability, log, configuration security solutions. These IT GRC products normalize all the various regulatory or standardization controls into a common framework and then pull scores/results/data from these products into that model to go along-side data gathered from controls that can't be instrumented with software (e.g., people, processes, procedures, physical). As mentioned in previous posts, without this other side of the coin you're not getting a complete picture of risk/compliance/governance.

So if you you've already made investments in these other products but need something to pull them together into a unified view and are looking to get the complete picture, come check out IT GRC.

IT GRC is the next evolution for the Enterprise Security Organization

Great write-up and perspectives from the GRC guru, Michael Rasmussen; What is IT GRC?

-snip-
Interestingly enough, I was at an event last week of a dozen senior IT executives and we discussed this concept of IT-GRC. These were all Fortune 500 firms. Going around the room each was spending on average 5-6% of their IT budget this year on IT-GRC. A few were lower than this in the 2-3% range while one, who was significantly working on their IT-GRC strategy, was spending about 12% of their IT budget on IT-GRC.
-/snip-

Bottom line, the solutions in the IT-GRC space continue to mature and evolve, BUT the truth is - they can and will help save Fortune 500 IT Security organizations money through automation today! There is no reason a Fortune 500 company should be spending this much of their IT budget on IT-GRC when these products today significantly reduce the amount of manual labor (consultants) performing these governance, risk & compliance duties.

Great tutorial on Information Security Program Metrics

While reading a blog posting this morning I came across a great set of slides called "Measuring Security."

Slide 15 nails what are the questions security programs should answer on the head...
How secure am I?
Am I better off than this time last year?
Am I spending the right amount of money?
How do I compare to my peers?
What risk transfer options do I have?

Slide 36 has a great quote on "Risk Management"
The essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcomes and the linkage between effect and cause is hidden from us.

The next 300 slides is a ton of background detail...overkill until your really ready to dig in. I would simply recommend for now jumping to slide 402 to get to the punchline; here are some of the recommended metrics:

• Cost of security per transaction
• DoS and other attack downtimes
• Data flow per transaction & per source
• Budget correlation with risk measures
• Comparison with like firms
• Percentage of critical systems under DR plan
• Percentage of systems obeying ______ policy
• MTBF & MTTR for security incidents
• Number of security team consultations
• Latency to obey ______ change orders
• Percentage of job reviews involving security
• Percentage of security workers with training
• Ratio of b.u. security staff to central staff
• New system timely security consultations
• Percentage of programs with budgeted security
• Percentage of SLAs with security standards
• Percentage of tested external-facing applications
• Number of non-employees with access
• Percentage of data secure-by-default
• Percentage of customer data outside data center

Where all this detail is extremely important, the beautiful thing about what Securityworks offers is it has built a method to normalize any/all metrics into a single score. Think of it as your grade point average where you then have the ability to drill-down from the top and see how your doing for each subject, on each test, homework assignment, etc.

Going beyond technical security controls

Anton last week had this great write-up in ComputerWorld, "Five Basic Mistakes of Security Policy," that hits the 5 basics that so many busy executives look past when leading a security organization.

1. Not having a policy
2. Not updating the policy
3. Not tracking compliance with the policy
4. Having a "tech only" policy
5. Having a large, unwieldy policy

One of the biggest we see every day is #4. Most enterprises have some policy in place that they update (typically annually before a pending audit). Their current compliance tracking is provided by one or more software products that unfortunately don't have the full picture.

The reason why comes down to #4. Traditionally, enterprises have thrown either a vulnerability scanner, security event/log manager or another security software application at a list of IP addressable assets...generate a few reports...and hope they have things covered.

The truth be told, this misses so much of the full picture (over 50% per previous blog posts) that even the internal or external auditors don't have enough time to do a comprehensive review. The goal of those auditors is not a "witch hunt," it's suppose to be to protect the company! So what happens is each year, things get more and more detailed (which is good) as findings from the prior year are addressed allowing them to "peel the onion" back another layer.

This is why we are seeing the emergence of the IT GRC market that compliments and extends these products you point at IP addressable assets. These solutions use automation techniques to assess security controls around things that are not IP addressable (e.g., people, processes, facilities). The other need these products are offering is a normalized, unified view of the entire security program. Leveraging scoring from other products, they finally deliver the possibility of 100% visibility into the posture of your entire IT security, risk or compliance program.

Top 3 conclusions about IT Risk Management we like hearing

I read a nice summary of a recent Symantec 40 page survey on IT Risk Management and felt compelled to share the links and highlights that jump out. Symantec was recently noted as a leader in IT-GRC per this Gartner report.

The summary I read was posted by John Edwards over at ITSecurity.com.

Here are the conclusions that grabbed our eye:

• Businesses would be far better served if they viewed security as an IT risk management element that can be addressed alongside other critical elements, such as availability, performance and compliance.
• Technology alone can't mitigate IT risk. While technology plays a critical role in IT risk mitigation, balanced controls and frameworks are also necessary in order to provide complete risk management capabilities.
• Management should consider implementing a continuous risk assessment process.

PCI Compliance not going away - 42% not compliant

My inbox, like yours, is filled with numerous advertisements and spam on a daily basis, but this one actually grabbed my attention! It started out by saying;

"according to VISA, 42% of large and medium-sized US merchants did not reach their respective PCI compliance deadlines. The penalty of non-compliance is merchants incur monthly fines (up to $25,000) until they meet and sustain data security compliance requirements."

Now that is some attention grabbing marketing and I plan to be on that virtual seminar.

Almost half (and that's not a stacked number including small US merchants) is a very surprising number. I looked around trying to find information behind the survey results but to no avail, so I'll be listening on the call for some details and facts to back it up. Being that our IT GRC solution helps ensure that an enterprise is completely compliant with any regulation, I would like to hear what the top 2 or 3 reasons are they aren't yet compliant to see if they map up to what we are hearing.

Gartner IT GRC Predictions

I just had a chance to take a look at some recent research put out by Gartner on the IT Governance, Risk & Compliance Management space (IT-GRC).

They do an artful job laying out the customer desired capabilities and scoping the size of the market opportunity.

A couple key points to soak in:

• IT GRCM products provide functions that address needs expressed by 75% of the Gartner client base.
• Gartner estimates that software license revenue for vendors...was $73million for 2007, and we project a growth rate of 70% for 2008.
  

This reinforces previous posts with hard numbers that 2008 is indeed the year of IT Risk Managment. Here are links to those previous posts...

• 2008 - The Year of IT Risk Management
• 2008 - The Year of IT Risk Management, Part 2 - Rise of IT GRC
• 2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions

I highly recommend heading up to Gartner's website and reading each report;

• MarketScope for IT Governance, Risk and Compliance Management, 2008
• Critical Capabilities for IT GRCM Tools

Then come take a look at how Securityworks can help solve your IT-GRC needs by accomplishing those defined needs and capabilities.

Compliance costs not slowing down - technology automation to the rescue

Deloitte - Navigating the Compliance Labyrinth offers some great tidbits from recent surveying of financial executives.

• Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
• Primary costs continue to be driven through applying people, not technology to the problem.
• and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

Forget the name of the segment (e.g., GRC, IT-GRC, ERM, VM). The bottom line is taking a process management based approach with technology. Commercial solutions (not home grown) that offer enterprises the opportunity to leverage technology automation to reduce people doing mundane/manual tasks producing the result of reduced compliance costs!

So much to read, so little time - Top Information Security Risks for 2008

Now this is impressive! It's going to take a while to read the supporting reference documents, but this summary is gold and from my perspective a must read for IT Risk Management.

In the primary summary document, "Top Information Security Risks for 2008" we get an impressive laundry list of threats & vulnerabilities, their impacts, the risk and the controls. Page 5 talks of specific risks, some can be addressed with various technical control product on the market, example: #2 - Information Leakage. If you want to get down and dirty understanding these products spend some time with Rich over at securosis, specifically his blog entries and the summary which formed this white paper around understanding & selecting DLP solutions.

This section also highlights non-technical controls, audits etc in #5: "poor information security studies, risk assessments, projects/assignments and/or staffing/organization, causing failed, wasted, excessive or otherwise inadequate controls and practices selection, implementation, performance measurement, monitoring and/or auditing." Wow, that's a mouthful! But this is exactly what IT GRC is all about. Through using these software platforms you can evolve from poor, ad-hoc attempts at mitigating this risk while ensuring your enterprise takes a comprehensive, top-down look at any and all potential risks and assess their potential impact. If you then go down to #1 in the controls section of the document you will see what in my eyes is basically an advertisement for an IT GRC solutions and the process around deploying it, "investment in a good and systematic ISMS (Information Security Management System) incorporating high quality information assurance processes..."

A key statement back in #5 of risks that I was surprised to see was the calling out of "excessive" controls. This is something we at Securityworks (especially Bryan) are passionate about. Some vendors in the IT GRC space believe in throwing the entire "book of controls" at it, and you will be fine...we believe its about making sure you have quality controls in place, not simply quantity. Bryan has talked about this previously.

2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions!

I keep thinking I'm going to be able to move onto other topics related to IT Risk & Compliance management but it's hard to when my blog reader keeps popping up more and more articles and postings which talk about 2008 predictions and how GRC and IT GRC are going to be the "in thing" this year for IT Security groups.

IT & Compliance: 5 Big Predictions for 2008 hightlights "...Managerial evolutions, such as process-centric IT and better application of risk-management principles to information security management, will help companies refine and streamline IT governance and compliance."

The post continues on later with two of the five predictions hitting on capabilities or features of IT GRC products.

2008 - The Year of IT Risk Management, Part 2 - Rise of IT GRC

The customer success stories, industry partnerships, market predictions, etc. drumbeat for IT Governance, Risk and Compliance Management (IT GRC) continues to get louder and louder. Just caught this article over on TechTarget "Security Management 2008 - What's in Store." About halfway through Mike highlights the GRC space.

-snip-
Hopefully, security professionals will finally come to grips with the discipline that is preparing for an audit, which will result in an opportunity for vendors that provide so-called GRC products -- glorified reporting and workflow packages meant to automate the compliance process. These products allegedly automate the data gathering and reporting processes, so managers don't have to spend days (or weeks) preparing for the audits. Clearly that is a problem for security professionals that should be doing something more productive than preparing for an audit. It pains me to think that we'll need to implement yet another point product to solve a problem, but it is what it is.
-snip-

Even though skeptical, I'll take that as an endorsement for GRC in 2008! Mike give us a shout if you would like a demo, discussion and even an introduction to talk to customers using it.

2007 was a great year of education on the value of IT GRC and we hope/expect 2008 to be where customer implementations of this security automation take off! The ROI and team efficiency gains are tremendous, it also reduces the headaches and frustrations security team members get when having to prepare for audits.

Oh yeah, here is part one of this blog title "2008 - The Year of IT Risk Management" just in case you missed it.

How aware are your employees on IT security and risk policies?

Nice read that highlights 10 area of risk that should be in focus for 2008. One that really jumped out which we are starting to hear more about here in the IT-GRC space is awareness and training of employees on security and risk situation.

-snip-
Employee and Customer Awareness It’s something everyone intends to do – better educate their employees and customers about the security threats that are facing institutions and customers. Now with the ID Theft Red Flags, it’s also been pushed to the top of the compliance list. Institutions by Nov. 1 must have a written program showing how they are educating their employees and customers about identity theft.

American Banker Association’s Doug Johnson, senior policy advisor for the largest industry association, lists this as one of the top risk management issues for 2008.”Increasing your institution’s security awareness pays off in several ways -- employees learn how to protect the data they’re working with, and their awareness reduces the threat of the insider threat (either malicious or unintentional),” says Johnson. Many times the malicious insider can be stopped, if the people working with them are trained and are aware of the red flags that show the work habits and behaviors of a malicious insider. Do your employees know what to look for, what indicators there are that an insider is doing something on your networks or to your institution’s data?
-snip-

A new thing to many that was mention in here was "ID Red Flags." Federal ID Red Flags are suppose to be in place by November 1, 2008 (about 10 months from now). These rules (announced in November) implement section 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Basically, each financial institution’s Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.

Part of this process is prevention. One of the best ways to prevent something is through education. By having automated capabilities that require each employee to read what is expected of them in helping prevent Identity Theft. IT-GRC automation can help with this in automating this policy dissemination and acceptance tracking for owners of any company IT resource that may contain consumer identity information (e.g., from server owners, to laptop owners and beyond).

2008 - The Year of IT Risk Management?

I've been busy over the holidays enjoying everyones blogs and articles recapping 2007 and making predictions for 2008. Among other things highlighted in those articles, a common point pertains to Securityworks around "true" IT Risk Management (what I mean by "true" is the message is coming from companies who didn't adjust their marketing to be en vogue - e.g., SIEM products or Vulnerability Assessment products).

Before IT Risk Management was "cool" Securityworks has been out their working away on it (for over 4 years now).

One of my favorites that highlights this prediction for 2008 is over at Rational Survivability.

-snip-

Compliance stops being a dirty word & Risk Management moves beyond buzzword
Today we typically see the role of information security described as blocking and tackling; focused on managing threats and vulnerabilities balanced against the need to be "compliant" to some arbitrary set of internal and external policies. In many people's assessment then, compliance equals security. This is an inaccurate and unfortunate misunderstanding.

In 2008, we'll see many of the functions of security -- administrative, policy and operational -- become much more visible and transparent to the business and we'll see a renewed effort placed on compliance within the scope of managing risk because the former is actually a by-product of a well-executed risk management strategy.

We have compliance as an industry today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.

What's traditionally preventing the transition from threat/vulnerability management to risk management is the principal focus on technology with a lack of a good risk assessment framework and thus a lack of understanding of business impact.

The availability of mature risk assessment frameworks (OCTAVE, FAIR, etc.) combined with the maturity of IT and governance frameworks (CoBIT, ITIL) and the readiness of the business and IT/Security cultures to accept risk management as a language and actionset with which they need to be conversant will yield huge benefits this year.

-snip-

Well said (but then again I'm biased)!