Today, risk is The New Black.
For years, the security market relied on the FUD (fear, uncertainty, and doubt) generated by each new attack trend to move new products and new technologies. When compliance came along, it brought with it a guaranteed budget for and buyers of compliance solutionsregardless whether they felt they really needed them or not.
Risk is more than just buzzword, however. Senior management is no longer as willing to spend, spend, spend on the latest security defense without some form of justification. Security pros not only want to provide a reasonable justification for their investments, they also want to demonstrate how well their efforts perform. Not so easy when doing a good job means, basically, nothing happens.
Risk management offers a way to do just that. By leveraging concepts accepted in other domains of risk, such as actuarial or financial analysis, risk concepts give security professionals new tools for determining what risks matter, and how to measure the effectiveness of risk control in ways that management can understand.
One of the benefits of this approach is it gives the business new tools with which to measure whether a new risk control purchase is necessary. This is causing IT pros on both sides of the house (security and ops) to look at all their management investments in an entirely new light.
It may not be necessary to improve risk management by buying the latest tool. Better configuration management alone would improve IT risk management. This means many IT shops may already be in a good position to improve their risk posture based on investments theyve already made. Yet, many do not even know it.
Think about it: Its easy to see the risk management values of security or regulatory compliance tools, which focus on the negative (security threats, insider risks, business malfeasance, and so on). Yet IT management solutions, too, focus on the risk to ITs positive values of business-critical resource availability, performance and support. Both aspects share a common interest in resource integrity and assurance against disruption that could threaten the business itself.
Is your organization pursuing an IT optimization effort such as ITIL? If so, why not take advantage of that effort to improve the management of IT risks across the board? Conversely, can you leverage your IT governance or COBIT initiatives to improve the management of IT riskson both the positive (IT service delivery) as well as the negative (security, insider threats) sides of the equation?
These questions that bridge the gaps between IT operations and security under the umbrella of risk are becoming much more commonand the answers have been eye-openers in some cases.
For example, in 2006 my company EMA surveyed over 150 organizations pursuing a configuration management database (CMDB) implementation. In this survey, we asked IT shops implementing a CMDB what their top priority was for the coming year. The response? Security.
These werent security pros, by the way. They were IT operations professionals whose primary job is delivering IT availability and performance.