Seven steps to managing IT Risk

Came across this overview read from a Gartner research note recently. It lays out seven recommended steps managing risk.

• Implement a framework for risk assessment and mapping.
• Establish the responsibilities of risk managers with their areas of responsibility.
• Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
• Determine the threat level, and focus on those risks with the highest impact on performance.
• Establish levels of controls for processes commensurate with the perceived threat.
• Record and retain risk incident and near-miss information.
• Conduct periodic risk assessments to determine changes in the operations risk profile and assess control performance.

Great advice. These seven steps are precisely what IT-GRC solutions should help an Enterprise accomplish. They provide the construct (aka think configuration wizard) for establishing and maintaining a quality risk management program. If you have on your company priority list advancing the the risk mitigation/management capabilities or if you've recently been burned, take the time and check out some of our new product demonstration videos. We strive to be transparent around what we offer with our software. That's why our marketing isn't really "marketing" it's live product in action. Come check it out.

Evolution of IT Security to Risk; driving IT GRC acceptance?

Great summary by Michael Rasmussen of Corporate Integrity on the 2008 State of the GRC market was posted earlier this month.

I believe the title of one of the sections itself summarizes one of the biggest benefits of GRC, "GRC is About Organization Collaboration." He is 100% correct from my perspective - independent of the people, technology and process - GRC solutions are about using software automation to help enterprises collaborate to reduce their exposure to the big three buzz areas each of those letters in the acronym represent (Governance, Risk, Compliance).

Now, GRC solutions can't and won't solve these problems alone. They are part of an overall ecosystems of technical control products, best practice processes and people communication/expertise. You still need your Vulnerability, SIEM, IDS/IPS, Firewalls and other security products. You still need your COBIT, ISO, ITIL and other best practice processes. And of course, you still need the people who should know the overall business goals and priorities and then apply their expertise on how IT can help achieve those goals. GRC as mentioned before is the organization collaboration construct that can successfully bring all these complex areas together into a tight and cohesive Governance, Risk and Compliance strategy.

Another article I came across starts to highlight how some organizations are starting to elevate beyond operational security to strategic risk centric in culture. Tim Wilson over at Dark Reading just put out this great write-up yesterday titled; Market's Message to Security Pros: Adapt or Die.

-snip-
"...the question now is not how precarious the security manager's job is, but what it may evolve into, Schmidt observed. "As it becomes more about risk, security is not necessarily an IT problem. More and more, you see companies creating positions such as chief risk officer, who may report to a chief operating officer, and in some cases, the CSO might report to the [risk officer]."
-snip-

This trend points directly at GRC solutions that can provide the common construct to help all aspects of the organization collaborate. A decent analogy may be what ERP was to the CFO, GRC is to the CRO.

One last article that also points towards the trend around moving operational security tasks back into IT operations and thus security analysts evolving into internal Risk Consultants to the IT organization would be this blog from Trent Henry over at Burton Group. Once these "Risk Consultants" are created, GRC provides the collaborative platform to conduct their more strategic initiatives mentioned; policy, risk & compliance monitoring, assessment program development, etc.

Nice GRC write-up and how it relates to log management initiatives

Anton wrote a nice piece, called "Unified GRC: Replacing a piecemeal response to compliance" for SC Magazine defining GRC and how it fits together with other areas of security and prevention management. The article, as expected, has a major slant toward Log Management, but it is a very good summary that also highlights other key capabilities / areas important to GRC.

Even though most security vendors are marketing IT Risk Management, many customers are beginning to realize there is this new breed of software products that compliments your vulnerability, log, configuration security solutions. These IT GRC products normalize all the various regulatory or standardization controls into a common framework and then pull scores/results/data from these products into that model to go along-side data gathered from controls that can't be instrumented with software (e.g., people, processes, procedures, physical). As mentioned in previous posts, without this other side of the coin you're not getting a complete picture of risk/compliance/governance.

So if you you've already made investments in these other products but need something to pull them together into a unified view and are looking to get the complete picture, come check out IT GRC.

Great tutorial on Information Security Program Metrics

While reading a blog posting this morning I came across a great set of slides called "Measuring Security."

Slide 15 nails what are the questions security programs should answer on the head...
How secure am I?
Am I better off than this time last year?
Am I spending the right amount of money?
How do I compare to my peers?
What risk transfer options do I have?

Slide 36 has a great quote on "Risk Management"
The essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcomes and the linkage between effect and cause is hidden from us.

The next 300 slides is a ton of background detail...overkill until your really ready to dig in. I would simply recommend for now jumping to slide 402 to get to the punchline; here are some of the recommended metrics:

• Cost of security per transaction
• DoS and other attack downtimes
• Data flow per transaction & per source
• Budget correlation with risk measures
• Comparison with like firms
• Percentage of critical systems under DR plan
• Percentage of systems obeying ______ policy
• MTBF & MTTR for security incidents
• Number of security team consultations
• Latency to obey ______ change orders
• Percentage of job reviews involving security
• Percentage of security workers with training
• Ratio of b.u. security staff to central staff
• New system timely security consultations
• Percentage of programs with budgeted security
• Percentage of SLAs with security standards
• Percentage of tested external-facing applications
• Number of non-employees with access
• Percentage of data secure-by-default
• Percentage of customer data outside data center

Where all this detail is extremely important, the beautiful thing about what Securityworks offers is it has built a method to normalize any/all metrics into a single score. Think of it as your grade point average where you then have the ability to drill-down from the top and see how your doing for each subject, on each test, homework assignment, etc.