In a recent article for the Global Association of Risk Professionals, I outlined how three factors are heavily influencing current network security risk management practices in dealing with IT risk.
The key factors as I see it are:
Change: IT risk will always be in a state of flux
The art of measuring risk is making sure you are measuring the right things, and in security, the issue of metrics has always been controversial and ever-changing. For example, what good is deleting hundreds of old firewall access rules if the ones you keep (and need) are overly permissive?
Trends such as the rise of Cloud computing, bring your own device (BYOD) and virtualization have required companies to completely re-evaluate their risk profiles. When technologies mature, they offer great new benefits, but also introduce new risks.
The reality is that successful IT risk management requires the entire ecosystem of people involved in the process to be agile enough to respond to shifting business requirements. But it also requires good instincts, to identify when the IT risk profile is no longer aligned with the business…
Complexity: IT risk management is an art
It's not easy for IT managers to deploy multiple products from different vendors, all with their own dashboards, which need to be integrated with other IT management tools as well as risk and IT management frameworks such as ISO, CoBIT, or ITIL. The good news for any IT practitioner who might be worried about being automated out of a job is that it still requires a specialised skills set.
However, similar to IT security, IT risk management is, for better or worse, heavily product-driven, resulting in a dynamic where managing risk becomes an exercise in vendor management. The need to adapt to changing business requirements and increased competition resulting from market opportunities is forcing vendors to innovate and add more value.
Communication: Transparency is key
In highly complex network environments, an organization's IT risk profile can change dramatically with one mouse click. It is hard enough to determine what type of IT risk is acceptable and to what degree, and even harder to implement and maintain controls that can reliably ensure that risk profile is maintained on a daily basis. This is where open alignment across security, operations and other IT groups is key.
IT risk and security groups are quickly changing the perception that what they are tasked to do is a financial and operational sinkhole. Working together with operations teams, they can create economies of scale and make much smarter use of legacy and new technologies -- especially through investments in automation.
See a full description of these factors and more context here