Surprised? You shouldn’t be. One of the top priorities of security management is to build an asset inventory that gives insight into what IT assets are at risk, and how relationships between those assets affect the risk posture. IT pros on both sides of the house increasingly recognize these values—in part because taking a risk management view of IT helps see the connections between IT service optimization and risk control. The IT Governance Institute echoes this awareness, through initiatives such as the recent mapping of COBIT 4.0 to ITIL as well as to security best-practices such as ISO 17799.
This trend should not be as surprising as it may sound. Years ago, change audit and control tools such as those offered by Tripwire saw their first wide acceptance, not for their IT service management values, but as security enablers; as a means to instrument the detection of unauthorized change resulting from exploit or attack.
They have since been recognized for the value they contribute to IT service management. Yet their importance is now coming full circle as a key enabler of risk control buying playing a significant role in monitoring events that not only threaten IT’s positive values, but which also indicate the bad guys may be afoot.
New Uses for Existing Tech
Other risk technologies that bridge IT operations and security include event management systems. In IT ops, they perform root cause analysis of IT service problems. In security, they correlate recognition of a threat. Uniting these two perspectives can help businesses distinguish the true root cause of system events, and improve the “distant early warning” of potential governance or compliance risks. They also contribute directly to the accumulation and maintenance of “audit-worthy” evidence of the effectiveness of IT risk controls.
The service desk is yet another focus of shared interest between risk management and IT optimization. Response to a risk event may mean follow-up—analyzing a vulnerability, deploying a patch, investigating behavior, improving education. The workflow capabilities of the service desk can play a key role in delivering an effective response. Yet, one of the biggest benefits of a comprehensive view of risk management may be in getting security and IT ops to play nice with each other.
These two groups often disagree because they serve different priorities. Operations wants to make sure IT is highly available, whereas security wants to keep things as safe as possible. Yet they do have common interests: Defending critical IT services against disruption is an operations priority, while security pros are dedicated to assuring the “A” in security’s “CIA” values of confidentiality, integrity and availability.
Giving them a common goal—such as agreement on the tools and processes that improve their cooperation—may be one of the greatest benefits of taking the high road of risk management that speaks to both sides of the issue.
Because, after all, it’s all about risk.
Scott Crawford is a research director of the Security and Risk Management practice with Enterprise Management Associates in Boulder, Colo., an industry analyst firm focused on all aspects of enterprise management systems and services. The former information security chief for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria, Scott has also worked with the University Corporation for Atmospheric Research as well as Emerson, HP, and others. He can be reached at [email protected].