With more and more breaches making the headlines, risk management and security professionals are bracing themselves to face not only increasingly sophisticated attacks, but more rigorous scrutiny on their controls and measures. Although each company is different, with unique priorities and needs, there are several risk management measures that would benefit all types of organisation, says Simon Campbell-Young, CEO of Phoenix Distribution.
A good starting point, he says, is the risks that go hand-in-hand with third party partners that are custodians of an organisation’s data. “Businesses rely more and more on outside vendors and partners, driving the need for a solid third party risk management strategy, to make sure that these risks are identified, measured and controlled. This is particularly relevant, as customers will want to know how third party risk is managed.”
Following this, Campbell-Young says to harness the businesses’ data for better insight into the risk management process.
“Data mined from security tools, the network and other infrastructure can be invaluable, and help a business to validate assumptions, and better understand what the risks are. Too many companies do not realise the value of the data that resides within their environment, and fail to analyse the data, and work the findings into the risk management plan.”
He says this is particularly effective when dealing with todays advanced persistent threats (APTs) and targeted attacks. “These attacks are so carefully planned, often using multiple vectors to achieve their ends, which causes security and risk practitioners to constantly re-evaluate their mitigation methods and protocols.”
These sorts of attack can cause significant damage, and have changed the security landscape, he adds. “Access control, DLP, IPS, firewalls, AV – are woefully inadequate. Successfully fighting APTs requires dynamic netflow analysis, and other tools that are analysing new threats on an hourly basis, and updating systems accordingly.”
He adds that there needs to be a marriage of preventative measures, and tools that can identify when a breach has occurred. “We know now that a breach is almost inevitable. Traditional tools for prevention are not a silver bullet, they are no longer protecting businesses. Breaches occur, and when they do, they need to be contained and the damage limited, and this needs to be factored into the risk management plan.”
In this way, risk analysis and assessment is no longer done on an annual basis, but is an ongoing concern. “Risk managers need to have meaningful data, to make informed decisions about processes and tools. Companies need to find a way to build real-time data into the risk assessment process, and be able to react quickly, on the outcome of the assessments.”
Finally, Campbell-Young says there is still the need for a better relationship between IT security and business processes.
“A good start would be an open dialogue between risk managers and business executives. A good risk, security and compliance policy will require input from risk managers, businesses users, suppliers, and other stakeholders both within and outside the business. Risk management and performance management are inexorably linked.”