Skip Links

Rebuttal to Stiennon: Why risk management can succeed in IT

By Steve Schlarman, eGRC solutions architect, RSA, special to Network World
October 22, 2012 03:14 PM ET

Network World - This is a counterpoint to the Network World article "Why risk management fails in IT" by Richard Stiennon, chief research analyst at IT-Harvest.

Earlier this week Richard Stiennon published an article that questions the value of risk management in IT, and I would argue that, although risk management presents challenges to IT, best practice-driven approaches leveraging aspects of risk management are essential to good security.

Stiennon's perspective reflects the prevailing view in the media -- supported by valid industry statistics -- that IT security is losing the war against the bad guys. Data breaches are front page news and companies are being fined millions of dollars for losing personal information. Given we have been fighting this battle for so long, we must have made some progress, right?

SECURITY ROUNDTABLE: See it, protect it, control it

THE OTHER SIDE: Why risk management fails in IT

We can definitely say we have. The fact is, IT security is becoming more sophisticated. It is a journey and, while we have a way to go, there is definite progress toward repeatable, best practice-driven approaches that have been used in other aspects of risk management.

IT security doesn't have the number-crunching abilities of financial risk modeling or broad history of market data to throw into Monte Carlo simulations. Other risk disciplines have data that over the years has led to refined mathematical, quantitative methods. Will IT security ever get there? We seem to be making significant progress. Consider:

* Identification of assets is achievable. One of the first tasks in risk management when it comes to IT security is to know what you need to protect. This is a significant challenge and, with the proliferation of devices, it seems an insurmountable task. However, technologies are addressing the "find the needle in the stack of needles" problem and identify where important data is flowing out of or into the organization and where it ends up. For example, data loss prevention technologies continue to expand their scope, accuracy and capabilities.

Some perspective is useful when looking at progress against this problem. Will an organization have an absolute list of every desktop, laptop, mobile device, router, switch, database and widget in the entire IT universe? No. But can an organization find where personal information, credit cards, key research and development plans and other jewels of the company live? Absolutely. Today.

A large technology company launched an initiative to find credit card data. A DLP scan across its file servers found 30,000 files spread out over a large, international IT infrastructure. With a combination of technologies and processes, the company cataloged these data assets, identified owners, contacted them, remediated and secured the data. This wasn't a multi-year effort; it was a multi-week effort. In addition, the company realized how it could do this for other information assets. Lo and behold, the company not only secured the loose change across the file servers, it determined how to find and secure the bags of money as well.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News