The nature of security risk management makes its goals constantly moving targets. As technology and cybercriminal tactics evolve, best practices must adapt to address new threats, and while the fluctuating nature of new solutions can inspire innovation, it also leaves a lot of room for mistakes.
CSO columnist George Hulme recently identified several common security risk management mistakes. Alex Hutton, a faculty member of research and consulting firm IANS, told CSO that many organizations simply copy risk management plans from auditing procedures. Although this can mitigate some of the risk associated with non-compliance, this method falls short of developing a comprehensive risk management strategy.
"Audit doesn't necessarily concern itself with threat and audit doesn't necessarily care about reporting an aggregate picture of risk, based on the entire outlook of threats, assets, controls and impact," Hutton told CSO. "Security risk management does."
Security professionals need to not only be aware of new threats, but stay up to date with internal changes that could affect their organization's security posture. Developing a security intelligence strategy is often about forming trusted partnerships so that threat information can be shared. For example, a data security breach may reveal a string of code that is similar to data incidents within other organizations. Hutton also touched on the importance of internal staffing, noting that if an intrusion detection professional suddenly left, it would create a significant vulnerability if there were no one to replace him or her.
Organizations lack security monitoring
Another area in which many organizations struggle is with monitoring. In a survey of 711 IT managers, 90 percent stated they are not confident in their ability to address problems before they affect end users, according to a recent CIO Insight article. Network performance was cited as a top issue among IT professionals, a third of which stated they lack solutions to proactively detect issues.
"Perhaps more vexing is the amount of time it takes to solve issues. On average, it takes five hours from the moment a critical problem occurs to detecting it, determining the problem s cause and correcting," the article stated. "The trouble stems from a lack of robust performance management tools, and that is reflected in the fact that 80 percent of the market is not happy with their current performance management offerings."
The lack of monitoring solutions has lead to significant problems for IT security. The article pointed out that critical issues arise on a regular basis, and it takes an average of five hours to fix those problems.
Security News from SimplySecurity.com by Trend Micro