How IT Security Fits into Your Enterprise Risk Management Framework

Have you ever tried to represent cyber security’s place in enterprise risk management graphically? If so, then it has likely been done as a pie chart. The slices of the pie chart contain various components such as your customer’s supply chain, operational risks, fraud and so on. Then for almost all businesses today, one of the slices in that pie becomes cyber security.

However, this pie-based view is a little misleading when it comes to cyber security. So how does cyber security risk affect other components of your client’s business, and what does this mean for your organization?

The Right View of Cyber Security Risk

Cyber risk management is more accurately seen as a Venn diagram where a portion of the pie slices intersect.

Instead of a pie chart, imagine the various assets in your client’s business stacked on top of each other to form a cylinder. The various slices of that cylinder will be factors such as third-party risks, supply chains and data assets. At the center, running through this stack of slices are your client’s core business processes.

Business methods today are almost always aided by digital technology and online communications. This means that rather than being another slice isolated from the others, cyber risk management must be a core functionality within your client’s business. It the core of this “risk tower,” supporting their business processes and running through other sectors of the company.

How Cyber Security Affects Enterprise Risk Management

As the metaphor above implies, cyber security has become a business imperative for every other part of enterprise risk management. For example, when you talk about supply chain risk management, consider what happens if your client’s SCM portal goes offline or the delay in bringing on a new supplier who can’t meet cyber security requirements.

As the client’s MSSP, you need to think about cyber security risk not as its own independent entity, but as part of the many portions of the enterprise risk model. This “Venn diagram” perspective allows you to bring the various portions together to see the effectiveness of your security program on all aspects of your client’s business.

Key Considerations for Cyber Security Risks

In general, there are three key elements of cyber security risks that you should evaluate when considering other components of enterprise risk management. All three must be in balance to help your cyber security program stand successfully.

  • Operation: Your client’s systems need to do what they are supposed to do for the business to run effectively.
  • Compliance: Whether it is FFIEC, HIPAA or other industry-specific buzzwords, your client’s systems need to operate in accordance with all applicable regulations.
  • Security: Your client’s systems need to operate in a safe and secure manner to protect internal and user data.

To use another metaphor, these considerations are like brakes on a car. We need our brakes because we want to drive, not stay parked in the garage, and we know that when we drive, we will eventually have to slow down or make a turn. Those brakes provide us security when driving the car, just as road signs guide us with compliance on the road ahead.

Similarly, balanced regulations and security controls allow businesses to drive ahead. Having these guardrails and keeping them in balance is critical in order to move the business at the pace that your customers need.

Final Thought

Cyber security is not just a slice of enterprise risk management, as it is often represented. Instead, it is a core component of all the elements in the enterprise risk management model. Understanding this fact is key to operating your business and having a successful risk management plan.

Quantitative v. Qualitative Measurements of Risk

While most MSSPs have a surface-level understanding of their customers’ “risk,” rarely do they invest the time to understand the implications. In particular, many organizations have a hard time differentiating between quantitative and qualitative risk, as well as the divergent impacts each can have on various parts of the business.

With that said, what are the distinctions between the two risk measurements, and why do you need to know the difference?

What Is Quantitative Risk?

Quantitative risk analysis involves assigning a defined dollar amount to a particular risk.

For example, if one of your customer’s keeps 500 confidential patient records on a server, you should work with them to conduct a business impact analysis to determine the replacement cost of each record. This would include expenses associated with informing patients of the attack, changing patients’ ID numbers, printing out new health cards and so on.

That said, while you can attempt to estimate the monetary value of the potential risk of an attack on your customer, you can never quantify the total risk due to the repercussions that will extend beyond the immediate effects of recovery and replacement. Business impact analysis can help you establish a floor for the costs of a cyber attack, but the maximum potential costs are likely uncertain.

What Is Qualitative Risk?

In qualitative risk assessments, analysts assign a rating (rather than a dollar amount) based on the severity of a risk, ranging from informational to critical.

Analysts begin first by developing an understanding of the environment based on information they gather internally and/or externally. Then they put that information into context by leveraging analytics on how users interact with the environment. Based on what is uncovered, different businesses could face the same threat but have a different system risk analytics profile.

As a result, it is more challenging to attribute a specific threshold or value in these cases, since labels are typically fluid and poorly defined.

Another important component of qualitative risk to consider is reputational risk – which comes into play in the immediate wake of the attack. By definition, reputational risk has a more lasting “ripple effect” on a business, as it pertains what happens in the aftermath of an event. Reputational damage can come in many forms, including reduced sales potential, lost deals, negatively impacted earnings, as well as eroded investor and consumer confidence.

Final Thought

Many organizations do not have the budget or expertise to handle their IT security needs in-house, so they look to you, managed security service providers (MSSPs) and outside vendors, for help. As an MSSP, you will want to know the contextual knowledge about your clients’ business, such as why the environment is configured a certain way, what dictates the layout or the architecture and how the business is ideally run.

You may be monitoring their environment and addressing their top daily priorities effectively, but without your client’s insight, you will be flying blind. As an MSSP, your organization is charged with overseeing the health of your customers’ IT security ecosystem, and you will require institutional knowledge to help deliver a true assessment as to the qualitative and quantitative risks of any given situation.

Empower your clients with both quantitative and qualitative risk assessments built by the context of their unique business, and revise and revisit that information on a regular basis.

Receiving Security From the Cloud: Why Cloud Maturity is Driving Security Transformation

For well over a decade, the cloud has garnered much hype and attention – and for good reason. For organizations bold enough to leverage it, the cloud has delivered staggering results including faster service delivery, reduced costs and greater agility.

Organizations have matured in their adoption and use of cloud services from email and HR Software-as-a-Service solutions to leveraging Infrastructure-as-a-Service providers to create new solutions and value for customers.

From the day the term cloud computing was coined, security has consistently been cited as a primary concern by organizations when considering moving business functions to the cloud – and it’s not hard to see why.

Utilizing yesterday’s bolt-on security as you implement your cloud strategy is extremely problematic. Not to mention the cloud era has coincided with a litany of other tech trends—Bring Your Own Device (BYOD), Internet of Things, and increasing levels of telework for example—that have made cybersecurity extremely challenging for businesses large and small.

These trends have erased the traditional concept of a security perimeter, causing IT professionals to patch one “leak” in the security dam as six more spring up. It’s an eternal and exhausting struggle, and one that hasn’t had an easy solution.

That is why we’ve formed OPĀQ Networks, which is an important evolution in network security and how security is delivered.

Security Is Still a Human Issue

The companies that can afford to find and retain security talent perform much better than those that can’t. However, the bottom line is that even for the most resource-rich, security-focused companies, there will never be enough security expertise.

There are quality security solutions out there that can provide protection in certain areas, but products are only useful if people have the time, budget and expertise to properly manage them.

Studies show the average large enterprise has anywhere from 3 to 5 network security products. Considerable amounts of time and expertise need to be put into the evaluation and management of a company’s security stack. Not to mention all of the selected products will have patches, updates and licenses that will need to be managed. And after all is said and done, a substantial number of security breaches occur due to poorly implemented policies and improperly implemented security products.

In 1997, I co-founded NetSec and helped pioneer the Managed Security Services Provider (MSSP) business model. We helped many companies with their security by providing outsourced monitoring and management of security devices and systems until I sold the company in 2005. The reality is that, even as the experts, NetSec and many other MSSPs struggled to keep pace with the highly diverse product base and distributed control of our clients’ network and security infrastructure.

Security-as-a Service: Tightening Control, Simplifying Networks

The answer to the human issue is to bring network security into the cloud age. Rather than deploying and managing point security products utilizing distributed and disjoint policy, network security controls should be tightly integrated into the network and managed through a single policy control point. Security from the cloud can be extended to the location, user and device on demand.

This post on the Securosis blog by Mike Rothman does a good job of illustrating compelling use cases for security-as-a-service:

  • Optimized Interconnectivity: You might have 85 stores which need to be interconnected, or possibly 2,000 employees in the field. Or maybe 10 times that. Either way, provisioning a secure network for your entire organization can be highly challenging – not least because mobile employees and smaller sites need robust access and strong security, but fixed routes can negatively impact network latency and performance.
  • Security by Constituency: One interesting extension of the policies above would be to define slightly different policies for certain groups of employees, and automatically enforce the appropriate policies for every employee. Let’s consider a concern about the CFO’s device. You can put her and all the folks with access to sensitive financial data in a special secure network policy group.

At NetSec, we provided the best security possible at the time, but there were technological and physical limitations to what we could offer. And the MSSP model hasn’t dramatically changed. Distributed security products bolted on to a network managed by a separate team results in endless false alarms and incomprehensible policy. The legacy perimeter protection approach was difficult then and near impossible within today’s hybrid cloud environments.

The growth capital OPĀQ Networks announced today will help us accelerate our research and development, operations, and customer growth in the commercial market. This is a tremendous step towards finally tackling the human issue head-on. It’s an issue that has been at the heart of security challenges for decades. And because of the maturity of cloud, now’s the time you’ll see positive disruption in how security is received.