In the conversation on Risk we have had here at the FireMon blog, we have seen that the task of identifying and remediating risk within today’s enterprise networks is not a trivial exercise. We have discussed many points in this conversation, including why we even talk about risk in security, how do you measure risk, are we truly measuring risk correctly, and how to truly operationalize risk within your security team.
As we have continued this conversation, it has been encouraging to see other outlets and regulations beginning to embrace the importance of risk. Earlier this month, Torsten George of Agiliance had an interesting guest blog for SC Magazine about risk being security’s new compliance. He points out that today’s security organizations face the challenge that “their current security and vulnerability measures are unable to keep up with evolving threats” and “these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring.” He points out that implementing a risk management tool provides the following benefits:
- Reduces risk by making threats and vulnerabilities visible and actionable; enables organizations to prioritize and address high-risk security vulnerabilities before breaches occur
- Reduces cost by streamlining processes to leverage automation and reduce redundant, manual efforts
- Provides reports and metrics to measure effectiveness and efficiency
Additionally, the SEC updated their disclosure requirements last year, suggesting that the disclosure laws already in place require companies to include both cyber security risk and cyber incidents within their risk disclosure statements. Joshua Gold in an article in Risk Management Magazine earlier this month interpreted the new guidance from the SEC as “every company under the watchful eye of the agency must disclose its analysis of exposure to a data breach or attack, discussion of material cyber-incidents, description of related legal proceedings and the implications for the firm’s financials.” Mr. Gold points out that this now elevates the management of risk within publicly traded corporations beyond just the security or IT groups and into the corporate suite. It is imperative for security teams working in corporations affected by the new guidelines to leverage a tool that can easily provide a clear overview of the risk posture of the network that is easily interpreted by the directors & officers of the company. No longer can network security and risk only be discussed at the executive level after an incident has occurred. Risk needs to be communicated from the security teams to the executive team clearly and easily in order to ensure publicly traded companies do not open themselves up to cyber-related lawsuits due to lack of disclosure.
Risk Analyzer solves the challenges presented by both Torsten and the new SEC regulations noted above. Risk Analyzer visually displays where you are with your network risk posture. Risk Analyzer shows you how to reduce the risk to your environment. Risk Analyzer gives you the operational control to measure your progress towards your goal of reducing risk, and makes it easy to report that progress to higher levels of the organization. Risk’s time has come; let Risk Analyzer help you operationalize Risk within your environment and easily communicate the risk posture of your network to all levels of your organization.