Governance and Risk Compliance

It is frustrating to see the amount of budget allocated to compliance when you consider that most of the money goes to documenting security controls, not improving defenses. One of the biggest reasons is that risk management, a carry-over from the bigger world of business, does not work in IT security. While few small businesses have formal risk management programs, most large businesses do. They even have risk committees that are drawn from the board of directors, often headed up by the CFO. The goal is to identify risks and either reduce their potential impact with compensating controls or purchase insurance to further reduce the business risk.

For example, a large airline, thanks to its risk management program, may recognize rising fuel prices could hurt its competitiveness and decide to hedge fuel on the open market, or a car manufacturer that has gone too far down the path of Just-In-Time supply may start to warehouse critical components in case a supplier in Thailand is wiped out by a flood. But try to translate risk management theories to IT and you run into troubles. Every risk management program starts with the dictate to identify all IT assets and weight them based on their criticality to business operations.?

That leads to the first big problem.?It is expensive and almost impossible to identify all IT assets. While at first glance identifying assets appears be a simple problem, it is actually extremely complex; almost fractally complex. IT assets include every computer (desktop, laptop, server, print server), every application (database, email, ERP), every dataset (customer lists, earth resources data, product pricing guide), all email, all documents in all versions, all identities, and all communications. As companies increasingly turn to cloud computing, they need strategies to protect and recover data stored in multiple places.

Now, add in the proliferation of devices coming in with consumerization—smartphones, iPads, even e-readers—and the data that reside on them?and the data that reside on them. Then add in the dynamic nature of the cloud where servers can be in a constant state of flux as load is elastically met with more or fewer virtual machines. Like I said, it’s complicated. The next big problem?

2. It is impossible to assign value to IT assets The concept behind risk management is that you assign a value to each asset. There are many algorithms for doing so. It usually involves a cross functional team meeting and making at least high level determinations. But it is obviously impossible to assign a dollar value to each IT asset. Is it the cost of replacing the asset? That might work for a lumberyard, but an email server might have a replacement value of $2,000 while the potential damage to a company from losing access to email for an extended period could be millions of dollars in terms of lost productivity. What about the value of each email? How much is one email worth? Ten cents? Zero? What about the internal email between the CFO and the CEO on the last day of the fiscal year warning that they missed their targets? Its dollar value is zero, but the risk from that email getting into the wrong hands could be the loss of billions in market capitalization.

Most organizations give up on the dollar value asset ranking and come up with low-medium-high valuations. Try to picture a team of IT asset managers in a room and one of them agreeing that his job is to manage servers that have little or no value. If there is no value to an IT asset, it has long since been replaced or eliminated. Every IT asset is of high value. So why bother classifying them all.

Order now (bulk rates available): https://bit.ly/3sPC5Wb

“Security Yearbook 2021” is available only at the IT-Harvest site https://lnkd.in/gh889sR

?Richard Stiennon is well known in the cybersecurity arena as an analyst and as an author. Other works: “Cyberwar”, “There will be Cyberwar” and “Security Yearbook 2020”.

Contents

Chapter 1. What Happened in IT Security in 2020?

Chapter 2. Introduction To The History of The Security Industry

Chapter 3. Getting to Know the IT Security Industry?

Chapter 4. A Brief History of the IT Security Industry?

Chapter 5. Network Security History

Story: Gil Shwed?

Story: Chris Blask?

Chapter 6. DDoS Defense

Chapter 7. Endpoint Protection from AV to EDR

Story: Ron Moritz

Chapter 8. Identity and Access Management

?Story: Barry Schrager?

Chapter 9. Data Security?

Story: David Cowan

Story: Sandra Toms

Story: Deborah Taylor?

Chapter 10. Governance Risk Compliance

Story: Renaud Deraiso

Chapter 11. Managed Security Services

Story: Amit Yoran

Chapter 12. Failures

Chapter 13. 2020 Public Companies

Chapter 14. 2020 M&A

Chapter 15. 2020 Funding Rounds?

Chapter 16 Research Methodology?

The 2021 Security?Directory

Alphabetical Listings by Company??

Listings by Country?

US Listing by State??

Listings by Category?