IBM just published their annual Chief Information Security Officer Assessment. There were many interesting insights highlighted within the report. One striking point noted was that external threats are viewed by the majority of CISO respondents as the primary security challenge they face. Traditionally within Information Security, internal threats have always been touted as the greatest threat a security group should focus on. However, as IBM’s report notes, the increased media attention over the past 2 years around external threats and high profile breaches combined with both the customer and business units increased expectations around information protection have shifted the focus towards the external threat.
With this increased focus around the external threat, the CISO respondents also noted that their focus is shifting towards risk management. Moving forward, the majority of CISO’s expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues. John Meakin, the Global Head of Security Solutions & Architecture at Deutsche Bank, noted that Given the dynamic nature of the challenge, measuring the state of security within an organization is increasingly important. Since threats are always moving and solutions are more complex, dynamic and often partial, knowing where you are is essential. He concluded by adding that a key metric security organizations should focus on is the speed and completeness of correcting known vulnerabilities.
FireMon’s Risk Analyzer combined with Security Manager provides an automated tool that enables security organizations to identify not only the potential future risk, but to identify exactly what assets are vulnerable to attack. Risk Analyzer will also prioritize what actions will reduce the greatest amount of risk with the least amount of effort. This enables CISO’s and their security organizations to track the speed and completeness of correcting known vulnerabilities, and to measure over time how they are improving their overall risk posture on the network. IBM’s report shows that CISO’s are looking for ways that they can proactively reduce and manage risk. Risk Analyzer is the tool that enables CISO’s to operationalize risk into their everyday activities, and reduce their exposure to risk automatically and in real time.