Establish metrics to improve risk management

Because protecting data is now a priority in the business world, decision-makers are placing a stronger emphasis on developing robust governance strategies that strengthen overall security programs through policy, monitoring and education. If executives do not take the proper steps to ensure that corporate governance can evolve and mature in the coming years, however, firms will not be able to effectively mitigate risk. This was highlighted in a recent Dark Reading report, which said businesses need to establish a set of metrics to observe the progress and effectiveness of security initiatives. If decision-makers are not measuring how efficient they are at protecting data, their organization will likely be making choices based on inaccurate information. "You know what you call governance without metrics? Dogma," said Alex Hutton, director of operations risk and governance at Zions National Bank, according to the news source. "You know what you call governance guided by metrics? Risk management." The importance of real-time information Rather than guessing and making false assumptions about the security landscape, executives should consider using server monitoring tools that provide valuable insight into the network and how well defensive operations are working. Dark Reading said stand-alone risk models are hypotheses, as they imply a number of maybes and potential threats, not hard evidence. By establishing a program that monitors performance and provides feedback as to the safety of specific areas of the network, companies can establish a more well-rounded and effective security posture. When organizations use real-time server monitoring solutions, executives can make quick changes to ensure the safety of mission-critical assets. "The metrics that we try to use and leverage and develop are intended to inform and turn assumptions into understanding more than anything else," said Jack Jones, principal of the risk management firm CXOWARE, according to Dark Reading. "We have as an industry a bad habit of being a little bit superficial in our treatment of the problems we face. If we want to evolve, we have to be a little more critical thinking in our approach." Embracing a new risk management A recent Deloitte study of more than 190 executives in the United States revealed that more than 90 percent of respondents intend to reorganize their approach to risk management in the coming years, largely due to the emergence of sophisticated threats and ongoing technological transformations that are out of the private sector's hands. Although Deloitte said that continuous server monitoring is only being used by a small portion of the business world, IT directors are recognizing the important role the technology will have in the development of risk-management programs. Currently, executives monitor risk periodically, which provides only a fraction of the information needed to augment security programs. By using real-time, continuous monitoring solutions, companies of all sizes can gain a wider perspective of the threat landscape and how specific changes can improve a firm's defensive stance. "Monitoring risk can sometimes be a backward-looking process. It shouldn't be," said William Keevan, senior advisor at Chess Consulting, according to Deloitte. "We look at it as a predictive process." By taking the time to implement advanced monitoring services, decision-makers can establish baseline metrics regarding how safe their network is on a regular basis. Using this information, companies can quickly identify when something is impairing operations or jeopardizing security. Alerted IT directors can then make adjustments to the organization's risk management program to alleviate current and future concerns associated with the same issue. Businesses that are able to understand the evolving risk landscape will likely be more capable of fending off threats in the long run.

Related Posts