Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Security risks are prevalent in most organisations, yet the consistent management of all technical, process and personnel-related security problems can be difficult as multiple teams are often identifying and mitigating them. In a bid to address this, many organisations are now fusing their risks management technologies and approaches into one Integrated Risk Management (IRM) solution comprising the platforms and processes needed to unify this critical business function.
IRM solutions – give your business full visibility of the risks
IRM contains all the features an enterprise risk management approach needs to deliver strategic, tactical and operational management of risks, combined with the tools and processes for identifying and mitigating them.
When evaluating what IRM means to your business, you must consider the things that matter most to each of your stakeholders: the board, the management teams and operational staff. Executives want to see the big picture, with accurate reporting across the entire business so they have the visibility of what’s immediately relevant to them in terms of mitigation investment.
At the middle management layer, risk-based decision making is essential. Having the information needed to fully understand tactical and operational risks and prioritise remediation plans within the workload pays dividends.
As your business changes over time through organic growth, customer acquisition, mergers and acquisitions or the introduction of new product lines, removing the risk management siloes that teams have built up over the years is vital. New risks are always appearing in the business, and even if they are technical risks, they can have a negative strategic impact on the business’s wellbeing. Two words help people understand this challenge: data breach. A low-level technical vulnerability in a simple wifi access point could be the issue that leads to the theft of your customer database.
IRM supports the business need to communicate risks, no matter their provenance, to the right audience, enabling better and more robust decision making. IRM also gives risk management owners a greater understanding of the nature of aggregated risks; where risks are chained together to raise their ratings higher because as a collection, they demand a faster response and a more comprehensive mitigation plan than any one of them individually.
Cybersecurity risks are often considered strategic by the business since they are on today’s boardroom agenda. However, these security risks tend to originate from technology platforms, so IRM systems need to aggregate them from operational systems using monitoring and system management systems, such as tools for vulnerability assessment, antivirus, SIEM, configuration management and, software distribution.
An IRM solution should fit with your organisation’s needs
Before you rush out and buy an Integrated Risk Management solution, you need to carefully consider how you get buy-in from all of the relevant business stakeholders and associated risk management teams that would use it. This includes understanding the methods, processes and tools they use today to meet their local risk management objectives. Don’t look to mimic all extant business processes or approaches to management risks found in each team, since a critical review may expose better and more efficient or accurate ways of identifying and reporting on key risks to the business.
Spend an appropriate amount of time defining all your business requirements so the solution is comprehensive and meets the needs of operational, middle management and executive teams. Also, consider how you identify IRM champions across the business to help with implementation, since some areas of the company could be very parochial or remote. You need supporters on the ground who can institute the new processes and platforms and train people who need to use it.
If you don’t have the in-house skills or experience to design an IRM solution, you should seek outside assistance. IRM is one of the most critical business systems to invest in over the next few years, and because of the complexity and highly-integrated nature in the enterprise, it needs to be comprehensive and streamline. If the solution only makes users’ day jobs harder or makes them less productive, possibly because they don’t understand it and are not trained, the solution could fail from the start.
Integrated Risk Management adoption is essential. It would be best if you supported this complex business processes change with a comprehensive rollout plan that includes communication and training.
IRM solutions don’t have to be single-vendor systems. A well-integrated approach, using the best tools for the job, is often better than trying to use one technology for everything.
In cybersecurity, we use vulnerability management platforms to gather patch-state information and configuration data from ICT systems and report those against a database of known bugs and issues. Results reflect how easy it is to exploit a vulnerability, and then it’s the business’s job (usually the information security management team) to explain those risks in the context of the enterprise infrastructure – security architecture, processes, protective monitoring, physical security and business continuity measures – considering compensating controls and mitigations. If mitigating the risk requires investment, you may need to elaborate on its context for middle managers and executive managers, so additional context against strategic business plans needs considering.
An IRM system would not replace the vulnerability management platform, instead it would take the output of that expert system, allow the security risk manager to annotate the risk and modify it with context and provenance. The solution would build this into a dashboard or present it in a way that makes sense at the next level up within the business. Ideally, when the security manager submits a risk that is above the set level of acceptance, it should be brought to the attention of the teams who have the authority to treat it.
Lastly, if you can integrate the risk management system with your service management platform, you can incorporate a proactive approach to managing incidents. By giving historical visibility to the processes involved in incident management, linked to the root cause analysis, you begin to infer where risk-based decisions may have been wrong so that the course is corrected next time.
IRM is the future of enterprise risk management. It pays to get on the front foot and begin looking at how you identify operational risks and give them strategic context. Only then will business leaders be able to rationalise low-level technical security risks (vulnerabilities and configuration issues) with their strategic planning.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.