The 'New Black': Risk Management Unites Both Sides of IT's House

By Scott Crawford

(Back to article)

It’s everywhere. You can’t miss it. Just about every vendor in security has worked it into their marketing jargon. Only a few years ago, “compliance” was the buzz term that seemed to find its way into every story, regardless of how irrelevant. No more. In the last year, the title has gone to a new contender.

Today, risk is “The New Black”.

For years, the security market relied on the FUD (fear, uncertainty, and doubt) generated by each new attack trend to move new products and new technologies. When compliance came along, it brought with it a guaranteed budget for and buyers of compliance solutions—regardless whether they felt they really needed them or not.

Today, risk management is taking over as the dominant theme in security. It’s overtaken compliance in many respects because, to a large degree, risk management is what compliance is all about. Taking a disciplined approach to IT controls is a key factor in effective IT governance. This trifecta of governance, risk and compliance has become the key theme of new classes of products that bring these values together under the term “GRC.”

Risk is more than just buzzword, however. Senior management is no longer as willing to spend, spend, spend on the latest security defense without some form of justification. Security pros not only want to provide a reasonable justification for their investments, they also want to demonstrate how well their efforts perform. Not so easy when doing a good job means, basically, nothing happens.

Risk management offers a way to do just that. By leveraging concepts accepted in other domains of risk, such as actuarial or financial analysis, risk concepts give security professionals new tools for determining what risks matter, and how to measure the effectiveness of risk control in ways that management can understand.

One of the benefits of this approach is it gives the business new tools with which to measure whether a new risk control purchase is necessary. This is causing IT pros on both sides of the house (security and ops) to look at all their management investments in an entirely new light.

It may not be necessary to improve risk management by buying the latest tool. Better configuration management alone would improve IT risk management. This means many IT shops may already be in a good position to improve their risk posture based on investments they’ve already made. Yet, many do not even know it.

Think about it: It’s easy to see the risk management values of security or regulatory compliance tools, which focus on the negative (security threats, insider risks, business malfeasance, and so on). Yet IT management solutions, too, focus on the risk to IT’s positive values of business-critical resource availability, performance and support. Both aspects share a common interest in resource integrity and assurance against disruption that could threaten the business itself.

ITIL’s Role

Is your organization pursuing an IT optimization effort such as ITIL? If so, why not take advantage of that effort to improve the management of IT risks across the board? Conversely, can you leverage your IT governance or COBIT initiatives to improve the management of IT risks—on both the positive (IT service delivery) as well as the negative (security, insider threats) sides of the equation?

These questions that bridge the gaps between IT operations and security under the umbrella of risk are becoming much more common—and the answers have been eye-openers in some cases.

For example, in 2006 my company EMA surveyed over 150 organizations pursuing a configuration management database (CMDB) implementation. In this survey, we asked IT shops implementing a CMDB what their top priority was for the coming year. The response? Security.

These weren’t security pros, by the way. They were IT operations professionals whose primary job is delivering IT availability and performance.

Surprised? You shouldn’t be. One of the top priorities of security management is to build an asset inventory that gives insight into what IT assets are at risk, and how relationships between those assets affect the risk posture. IT pros on both sides of the house increasingly recognize these values—in part because taking a risk management view of IT helps see the connections between IT service optimization and risk control. The IT Governance Institute echoes this awareness, through initiatives such as the recent mapping of COBIT 4.0 to ITIL as well as to security best-practices such as ISO 17799.

This trend should not be as surprising as it may sound. Years ago, change audit and control tools such as those offered by Tripwire saw their first wide acceptance, not for their IT service management values, but as security enablers; as a means to instrument the detection of unauthorized change resulting from exploit or attack.

They have since been recognized for the value they contribute to IT service management. Yet their importance is now coming full circle as a key enabler of risk control buying playing a significant role in monitoring events that not only threaten IT’s positive values, but which also indicate the bad guys may be afoot.

New Uses for Existing Tech

Other risk technologies that bridge IT operations and security include event management systems. In IT ops, they perform root cause analysis of IT service problems. In security, they correlate recognition of a threat. Uniting these two perspectives can help businesses distinguish the true root cause of system events, and improve the “distant early warning” of potential governance or compliance risks. They also contribute directly to the accumulation and maintenance of “audit-worthy” evidence of the effectiveness of IT risk controls.

The service desk is yet another focus of shared interest between risk management and IT optimization. Response to a risk event may mean follow-up—analyzing a vulnerability, deploying a patch, investigating behavior, improving education. The workflow capabilities of the service desk can play a key role in delivering an effective response. Yet, one of the biggest benefits of a comprehensive view of risk management may be in getting security and IT ops to play nice with each other.

These two groups often disagree because they serve different priorities. Operations wants to make sure IT is highly available, whereas security wants to keep things as safe as possible. Yet they do have common interests: Defending critical IT services against disruption is an operations priority, while security pros are dedicated to assuring the “A” in security’s “CIA” values of confidentiality, integrity and availability.

Giving them a common goal—such as agreement on the tools and processes that improve their cooperation—may be one of the greatest benefits of taking the high road of risk management that speaks to both sides of the issue.

Because, after all, it’s all about risk.

Scott Crawford is a research director of the Security and Risk Management practice with Enterprise Management Associates in Boulder, Colo., an industry analyst firm focused on all aspects of enterprise management systems and services. The former information security chief for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria, Scott has also worked with the University Corporation for Atmospheric Research as well as Emerson, HP, and others. He can be reached at scrawford@enterprisemanagement.com.