Biztech Oct 11, 2012
Within risk management, there are three different landscapes: threats, vulnerabilities and assets. While it’s easy to focus on outside threats and vulnerabilities inside your business, it’s also vital to examine your assets, because understanding information and its business value will determine the best way to protect it.
The Evolution Of Risk Management: The New Paradigm Of IT
If you think of risk management, the concept is not as such new at all, it has been around for many decades, so you may be wondering why we are still struggling with risk management when it comes to IT and information management. Risk management comprises of three components, threats, vulnerabilities and assets.
The Data-centric Approach: Focus On The ‘I’ In ‘IT’
When we go out there and analyse the various pieces of information that exist in an organisation, we find that 40 percent to 50 percent of all the data that exists in an organisation has no business value. At the end of the day, it is the information that drives the business it’s not the technology. The technology simply is a means to an end. So the Information in IT needs to be much bigger and the technology in IT needs to be much smaller.
What Does It Mean To Have A Data-centric Approach?
It means what data is powering the most critical processes that take place within a business. So now if there’s an application that’s consuming 3000 employee phone numbers, you know that this is not nearly as important as an application that may be consuming 4000 customer credit cards. So understanding the information, where it exists, how it flows, how it’s used, who it is used by, becomes absolutely critical to the practice of risk management.
The Disappearing Walls Of A User-centric World
The most strategic choice that someone could make in their security approach is looking at their data and understanding who needs to have access to it and where it needs to be. Everything else falls from that one decision. People are bringing iPads and iPhones and accessing things all over the place and so the walls are now disappearing. And so you need to take a different approach to security from a data-centric and identity-centric model to look at how you protect that. A different strategy is emerging where you say here’s the data that we want people to access and those people that need access can have access and those people who don’t need access by default are not going to get access. So it’s applying that default deny model and it really changes things to make it easier and more cost-effective to meet those security levels you need to get to as well as show compliance with the applicable laws and regulations.
The Three Landscapes
What we provide our clients with is an instant view of the state of their security and we do that by providing an insight into three what we call landscapes. There’s the threat landscape understanding what is truly out there from a global perspective those that are specific to their enterprise. Then there is the exposure landscape, what all vulnerabilities you should be addressing. Then there is the asset landscape. And by bringing these three landscapes together you truly have the risk definition outworked and visible to the customer.
When we talk to our customers they always ask us the same question – how can we be more secure? There is this implicit recognition that there is no such thing as absolute security. There are going to be cases where your security is breached. There are going to be cases where there are small incidents. The solution is how to make sure that if you do fail and when you do fail, you don’t falter where it really hurts. You fail small, you learn from that, you move on and so you become more secure with every failure.
The Bedrock Of New Security
What’s most exciting about this, this time is the fact that the users are now being more in control. They are defining how they want to access data and how they want to do business. The lawmakers are now noticing what’s happening with data breaches and they are making the enterprises large and small responsible for protecting the consumer’s data. Privacy is going to drive more and more the way companies approach risk management and the trade-offs that they make underneath that risk management layer.
Our role in the security industry is much more than protecting the visual organisations. The insight we have, the expertise we have, the assets we have basically give us the duty to expose what we’ve learnt, to the larger community.
So being on top of the new trends and letting our clients know what those and pro-actively protecting them against that – that’s our mission.
The author is Principal Consultant – Professional Services, Terremark – a Verizon Company.