As the need for data security has grown across enterprises, so too have the number of tools and measurements being used to help companies manage their individualized risks. Ericka Chickowski wrote on Dark Reading that with so much information moving across network activity graphs, intrusion detection systems and security event logs, there must be a dedicated program in place that ensures risk scoring is consistent across the entire business.
"You've got all these different controls, they all talk about assets differently, they all present different information," says Dwayne Melancon, CTO of Tripwire, according to Chickowski. "So how do I roll that up into a small number of indicators that actually helps me develop confidence that I'm secure or my risk score is going down?"
This is a question that will not be simple for companies to answer, but Melancon said it is essential that they start looking to them now as normalizing data helps companies make better comparisons and security decisions. Steve Schlarman, eGRC solutions manager at RSA told Chickowski that a project to help normalize these metrics needs to start by identifying a set of security risks that can be consistently measured with metrics over time. Organizations need to make sure this data can be quickly aggregated and analyzed to extract maximum value.
Starting with looking at the data security of the business first and going from there should help establish a good list of what needs to be normalized, Melancon said. While IT folks sometimes start with the controls instead of what business function needs to be protected, he said this can often times leave a business with more controls than they need to help secure a business and make the process far too complex for the good of the company.
Tech Republic said using risk management as a way to protect the company may have some cons, including perhaps focusing too much on something that hasn't happened yet, but with a good program in place, the website said businesses can have a good view of their threats, vulnerabilities and the impact it could have on the organization.
"Security risk management integrates well with the way business managers make decisions," the website said. "It allows security managers to speak a language decision makers understand."
Data Security News from SimplySecurity.com by Trend Micro.