Академический Документы
Профессиональный Документы
Культура Документы
Overview
Over the past few years, ESG has noticed a distinctive trend: many large organizations are now eschewing reactive information security and regulatory compliance activities in favor of structured and documented risk management. In fact, many enterprises are moving away from external risk management services and establishing their own internal groups as an alternative. Why are so many companies bolstering their focus on risk management? In order to improve risk measurement accuracy, implement more granular policies, carefully measure controls, and strive for continuous improvement. Formal risk management can help accomplish these objectives while simultaneously lowering costs. Risk management initiatives are also being driven by a number of external factors such as: Rapid financial cycles. Since the dawn of the 21st century, the global economy has been a rollercoaster ride of booms and busts in industries such as technology, housing, financial services, and energy. Improved risk management can help large organizations cope with this ongoing volatility. Increasing government and industry regulations. In the past, many regulations were weak, poorly enforced, or focused on audits rather than tight controls and corporate governance. This situation, however, is changing rapidly. In health care, HIPAA has been reinforced with the HITECH Act of 2009. The checkbox orientation of the Federal Information Security Act of 2002 is being replaced by a focus on risk identification and reduction in FISMA 2.0. The Payment Card Industry Data Security Standard (PCI DSS) was recently enhanced and updated. ESG anticipates more rigid regulations in the future, especially in areas such as federal IT procurement, defense/intelligence, and critical infrastructure industries such as electric utilities, financial services, health care, and telecommunications. IT complexity. Many large organizations are consolidating data centers, deploying server virtualization, and developing new web applications. As more and more business processes are tied to centralized IT assets, the impact of a service interruption grows exponentially. The increasingly dangerous cyber threat landscape. Global cybercrime is now a multi-billion dollar, highly specialized industry that is very good at what it does. For example, security researchers estimate that a new piece of malware was introduced every 1.5 seconds in 2010. Some of these variants, like Stuxnet and Zeus, were especially virulent. Even the most hardened security professionals are frightenedlittle wonder, then, that ESG research found that a majority of IT professionals working at critical infrastructure organizations believe that the threat landscape is worse today than it was two to three years ago (see Figure 1). 1
All of these trends lead to growing day-to-day risk areas such as capital, market, liquidity, and credit risks. This is driving CEOs and corporate boards to demand more focus on risk management throughout the organization.
Source: ESG Research Report, Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure, November 2010.
Figure 1. IT Professionals Believe That the Threat Landscape is Getting Worse How would you rate the current cyber security threat landscape compared to the threat landscape 24-36 months ago? (Percent of respondents, N=285)
The threat landscape is much better today than it was 24-36 months ago, 2% The threat landscape is somewhat better today than it was 2436 months ago, 6% The threat landscape is about the same today as it was 24-36 months ago, 20% The threat landscape is somewhat worse today than it was 2436 months ago, 40%
Source: Enterprise Strategy Group, 2010.
The threat landscape is much worse today than it was 24-36 months ago, 28%
Recommendation
Unify top-down and bottom-up risk management through common organizations and processes
Detail
Unify the two groups around a common risk register, risk reviews, documented processes, and risk metrics. Begin with basic risk management templates that unite the organization and address the most important business and operational risks. Look for a risk register repository along with risk assessment tools, KPI/KRI metrics, and centralized reporting. Risk management systems should also support industry-standard risk management models.
Risk management is often based upon tactical point tools, spreadsheets, and presentations
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.