The ‘New Black’: Risk Management Unites Both Sides of IT’s House

It’s everywhere. You can’t miss it. Just about every vendor in security has worked it into their marketing jargon. Only a few years ago, “compliance” was the buzz term that seemed to find its way into every story, regardless of how irrelevant. No more. In the last year, the title has gone to a new contender.

Today, risk is “The New Black”.

For years, the security market relied on the FUD (fear, uncertainty, and doubt) generated by each new attack trend to move new products and new technologies. When compliance came along, it brought with it a guaranteed budget for and buyers of compliance solutions—regardless whether they felt they really needed them or not.

Today, risk management is taking over as the dominant theme in security. It’s overtaken compliance in many respects because, to a large degree, risk management is what compliance is all about. Taking a disciplined approach to IT controls is a key factor in effective IT governance. This trifecta of governance, risk and compliance has become the key theme of new classes of products that bring these values together under the term “GRC.”

Risk is more than just buzzword, however. Senior management is no longer as willing to spend, spend, spend on the latest security defense without some form of justification. Security pros not only want to provide a reasonable justification for their investments, they also want to demonstrate how well their efforts perform. Not so easy when doing a good job means, basically, nothing happens.

Risk management offers a way to do just that. By leveraging concepts accepted in other domains of risk, such as actuarial or financial analysis, risk concepts give security professionals new tools for determining what risks matter, and how to measure the effectiveness of risk control in ways that management can understand.

One of the benefits of this approach is it gives the business new tools with which to measure whether a new risk control purchase is necessary. This is causing IT pros on both sides of the house (security and ops) to look at all their management investments in an entirely new light.

It may not be necessary to improve risk management by buying the latest tool. Better configuration management alone would improve IT risk management. This means many IT shops may already be in a good position to improve their risk posture based on investments they’ve already made. Yet, many do not even know it.

Think about it: It’s easy to see the risk management values of security or regulatory compliance tools, which focus on the negative (security threats, insider risks, business malfeasance, and so on). Yet IT management solutions, too, focus on the risk to IT’s positive values of business-critical resource availability, performance and support. Both aspects share a common interest in resource integrity and assurance against disruption that could threaten the business itself.

ITIL’s Role

Is your organization pursuing an IT optimization effort such as ITIL? If so, why not take advantage of that effort to improve the management of IT risks across the board? Conversely, can you leverage your IT governance or COBIT initiatives to improve the management of IT risks—on both the positive (IT service delivery) as well as the negative (security, insider threats) sides of the equation?

These questions that bridge the gaps between IT operations and security under the umbrella of risk are becoming much more common—and the answers have been eye-openers in some cases.

For example, in 2006 my company EMA surveyed over 150 organizations pursuing a configuration management database (CMDB) implementation. In this survey, we asked IT shops implementing a CMDB what their top priority was for the coming year. The response? Security.

These weren’t security pros, by the way. They were IT operations professionals whose primary job is delivering IT availability and performance.