Risk management policies should be more "strategic and proactive", instead of "tactical and fear-driven", according to security watchers, who note despite the growing awareness over the importance of IT security, its approach can still be improved.
According to Ang Poon-Wei, ICT security market analyst at IDC, in the past, due to the costs incurred by IT security, many organizations often leave it out of discussions until the last minute or unless it is mandatory for government, risk and compliance. Today, the need to include IT Security in risk management discussions is becoming apparent to organizations of all sizes and verticals, he noted.
This was especially after the fall of Enron in 2002, the implementation of the Sarbanese -Oxley Act and the global financial crisis in 2008, widening risk management's scope to encompass IT governance due to many headline losses of confidential information from sophisticated cyberattacks, Vincent Goh, Asia-Pacific vice president at RSA observed.
Breaches today are mostly financially-driven but are always about data, compared to 10 years ago when they were geared toward vanity and fame, and the number of occurrences and the speed in which IT threats are developed have also increased, Ang said.
Cybercriminals and hacktivists today keep abreast of technological shifts and are increasingly skilled at exploiting security vulnerabilities, Goh pointed out. They not only exercise better coordination to infiltrate the traditional perimeter defenses, but also take advantage of security loopholes and the rapid changes in the emerging threat landscape, he explained.
Growing openness and connectivity changing landscape
In addition, the growing openness and connectivity of an organization's infrastructure have also impacted the security landscapes, with technology trends such as Bring Your Own Devices (BYOD), mobility and cloud adoption posing varying degrees of risks, Goh added.
Companies are also increasingly relying on outsourcing and shared services for their IT operations which can bring about new types of technology risks such as data leakage, Jimmy Sng, technology advisory partner of PwC, noted.
That said, risk management has matured along with the security landscape over the last ten years with most organizations today have a proper risk management function in place which details the roles and responsibilities of the risk management function, an established process and access to senior management, he said.
Change from fear-driven risk management to be more proactive
However, most organizations are using the "tactical approach" in managing security risks, where risk management occurs on a reactive basis and monitoring in decentralized, Goh pointed out. Even when risk assessments are performed, they are driven by the need for compliance and "fear", he observed.
This is in contrast to a wider strategic approach where risk is measured as a function across an organization's vulnerability to and likelihood of attacks, as well as the value of the information at stake, Goh noted.
He cited the Carnegie Mellon 2012 CyLabs governance report released earlier this year, which found that although organizational boards are actively addressing risk management, areas pertaining to IT operations, computer and information security, and vendor management are still not receiving sufficient attention. The majority also do not review insurance coverage for cyber-related risks.
"Risk-management must be conducted at a more substantive and granular level--and this includes reviewing privacy and security issues which could help prevent the organization from high risk areas such as the theft of confidential or proprietary data," he said.
Enterprises should improve on their risk management techniques to be more proactive, Goh remarked. It is important they understand that for them to make enterprise-wide risk assessment, it cannot be managed in silos, he explained. A unified governance, risk management and compliance (GRC) program is needed to ensure the organization is focused on high-priority projects and the greatest risks.
Gerry Chng, advisory services partner at Ernst & Young, also suggested that the architecture should consider how security controls should be monitored on an ongoing basis to ensure its effectiveness and it identifies risk scenarios. Changes to the existing control environment should be proactively communicated to affected stakeholders to encourage buy-in and support, he added.
"If the objective of information security is to protect the resilience of the IT infrastructure and safeguard the key business information, it is very important that a proper risk management practice is established to methodically identify the risks, and ensure that security solutions implemented meet the expectations and are sustainable," he said.