Vulnerability and risk management: How to simplify the process
It’s like a faded Polaroid from a bygone era: The day when a computer with centralized software was safely locked away in an office. That’s because it is a bygone era for most organizations – wistfully recalled but wildly out of touch with the present.
Consider just how many devices, assets and people interact with a company’s IT infrastructure today:
- Devices (desktops, laptops, mobile and IoT devices – corporate-owned and personal).
- Software and applications (increasingly cloud-based and largely outside an organization’s control).
- Digital assets and documents.
- APIs and integrations.
- In-house personnel, remote/hybrid employees, freelancers, contractors and vendors.
Moreover, many of these devices, applications and assets might be part of an expansive shadow IT estate that can be invisible to IT and cybersecurity teams.
This growing ecosystem has created an equally complex IT risk landscape. Unmitigated IT risk can have a major impact on business finances, functionality, morale and reputation. The constant stream of cybersecurity threats that organizations face—coupled with the very real impact they carry—have made the need for a robust IT risk management process painfully clear.
In this concise IT risk management guide, we’ll cover:
- What is IT risk management?
- Five steps for risk management in IT.
- What IT risk management process and strategies you should follow.
- Best practices for IT risk management.
What is IT risk management?
A business stares down “risk” of one sort or another across nearly every facet of its organization and operations. But when we talk about IT risk management, we mean cybersecurity risk
As we’ve seen, with the growing integration of complex IT processes and tools into an organization’s daily operations, their associated risks are on the rise. Enter IT risk management—a practice that applies risk management principles to IT organizations.
IT risk management entails identifying, assessing and prioritizing risks to an organization’s capital and earnings. It involves taking steps to minimize, monitor and control the impact of those risks.
In simpler terms, it’s about protecting valuable business assets, ensuring adherence to rules and standards, upholding a positive image, making well-informed choices and ensuring smooth operations and resilience – even during challenging situations.
Risk management is nothing new to organizations; this is just about applying well-known processes and procedures to the growing web of IT engagement. As organizations build out IT risk management plans, this will often include filling familiar roles such as a risk manager and a risk remediation analyst – roles that should not only have only a strong understanding of general risk management practices but an IT background to ensure risks are properly assessed and remediated.
The new cyberrisk landscape
A major challenge, though, is that the risks that IT and cybersecurity teams must address aren’t standing still. In fact, their constantly shifting nature is perhaps their hallmark – and the greatest source of risk.
Over the past five years, the nature of IT risk management has evolved significantly, expanding its scope and meaning to meet the challenges of an ever-evolving cyberrisk landscape.
The task of simplifying IT risk management has become steadily more intricate, as the threats it faces in many ways don’t match traditional definitions of “risk.”
Defining IT risk and the disciplines it impacts
Let’s begin by addressing a basic question: What risks are we really dealing with? Because they’re not the same as they were just a little while ago.
At its core, an IT risk could manifest as a compromised data center, an individual’s computer vulnerability or a malicious virus. But today’s more diverse and fluid threats demand that we consider risk-based vulnerability management (RBVM) and explore ways to automate this process. Additionally, we must proactively prevent risks by adopting DevSecOps practices.
To set the stage, let’s differentiate between IT risk and security risk:
- IT risk refers to potential negative outcomes involving the failure or misuse of IT.
- Security risk refers to someone or something that poses a potential threat to safety or could cause harm to an organization.
As the landscape of cybersecurity has mutated, it's reshaped our concept of threats and vulnerabilities: Organizations face threats, and exposures to them are vulnerabilities. When those vulnerabilities are exploited, they become risk. So, IT risk management hinges on managing IT vulnerability. We may not ever eliminate threats entirely, but we modulate and moderate them with vigilant vulnerability management.
Two disciplines central to IT vulnerability management are IT asset management (ITAM) and IT service management (ITSM) and the technologies they deploy:
- ITAM involves tracking and optimizing an organization’s assets – physical and digital – throughout their lifecycle, ensuring efficient utilization and proper handling of valuable resources.
- ITAM tools provide management of configuration items (CI) such as hardware and software assets, so IT can configure, optimize and track CIs throughout their lifecycles.
- ITSM is the practice of designing, delivering, managing and improving IT services to meet organizational needs efficiently and effectively. Its tools and best practices improve IT ability to track, respond to and service technology requests from the end user and any other internal clients.
- ITSM tools may also allow users to “self-serve” by fixing simple and common technical problems as part of an effort to achieve level-zero help desk support.
- Another discipline figures in controlling IT risk? Exposure management, an emerging field that proactively identifies and mitigates potential vulnerabilities and security risks before they can be exploited.
How do these tools lend themselves to simplifying IT risk management, especially since we’ve laid out how complicated IT networks and cyberthreats have become?
ITAM and ITSM technology platforms with the right functionality can help an organization unify IT operations within a closed-loop security process, one where there’s automated, continual and proactive detection, assessment and remediation of vulnerabilities.
The key word is, of course, “automated.” Human intervention isn’t necessary if vulnerabilities can be patched or issues remediated before they impact users, preventing security impacts or even the need to contact a helpdesk.
Shifting Security workloads left
The tools being used by IT, particularly ITAM and ITSM, can therefore help Security “shift left” by leveraging ITAM and ITSM automation. They allow more security actions with less labor and cost, evolving into proactive risk remediation.
What are some of the ways ITAM and ITSM automations can be used to make life easier for Security teams?
Improve self-service options for end users
Automate triage of security requests and questions, so lower-level requests get routed to lower-tier personnel to free up senior analysts from phishing identification or similar tasks. Implement request forms for file access or policy exemptions within a security wiki, enabling level-zero self-service user support.
Unify security incident resolution
Repurpose IT ticketing software and prioritization queues (as fed from request forms) for better prioritization, tracking and contextualizing.
Repurpose background IT automations for security use cases
The same proactive IT automations within ITAM and ITSM that are triggered based on specific settings can be cloned and tweaked to address a wide variety of security purposes, like securing endpoint environments and sensing malicious activity.
Set up automation triggers
Security teams can make use of current CIs and create custom, security-specific variables tracked in an ITAM’s configuration management database (CMDB) as both triggers for and components of automated formulas.
Automate security enforcement
The same IT features that enforce general computer policies for users can report on and enforce security protocols. For instance, they can send alerts on possible policy breaches or insider threats as they’re detected.
5 keys to streamlining IT risk management
Simplifying and optimizing IT risk management doesn’t just involve IT. The cybersecurity team at your organization obviously has a vested interest in any measures taken to improve the efficiency and efficacy of the processes and tools you put in place. That’s why many of the key steps in improving IT risk management revolve around communication and collaboration between IT, Security, and other stakeholders.
For a more in-depth look into the points below? Consult our ebook, From Adversaries to Allies.
1. Security teams should explain their plans and requests
Avoid edicts and provide explanations to organization stakeholders about the strategy and benefits behind your security plans, changes and requests. Prior to initiating any security plan, the CISO should be sharing security strategy and the plan to implement it, as IT departments can quickly become frustrated by unexplained security requests.
Due to time and bandwidth constraints, security requests may be issued without any explanation regarding why the change is being requested. This can make it difficult for IT to implement the requests. It’s important for security teams to consider how their requests can be implemented by IT departments.
2. Be conscious of the burdens on IT
Security teams should always be mindful of the workload of the IT team before making a request; IT may be dealing with a larger project or not have enough staff to handle the task. It's imperative to look for tools and systems that can make it easier for your IT team to implement security policies, requests, and patches.
Combining risk-based vulnerability management (RBVM) and ITSM helps reduce the burden on IT by “automagically” prioritizing the important tasks and ignoring misprioritized ones.
Consider this: At any given moment, roughly a quarter million vulnerabilities are identified by the Common Vulnerability Scoring System and categorized as high, medium or low risk. Of those, about 38,000 are weaponized – with about 11,000, or 4%, considered dangerous. Through the lens of RBVM, we find that most of the “critical” risks flagged by CVSS aren’t actually critical – because we can drill down to the most dangerous 4% of the high and medium vulnerabilities. This reclassification of vulnerabilities as identified by the CVSS standard dramatically redirects attention to the truly critical vulnerabilities the IT team must focus on.
3. Embrace collaboration
Departments working together to streamline IT risk management must collaborate to reach mutually beneficial outcomes. After all, each has its own priorities: IT wants operations to run smoothly, while Security wants to manage issues as immediately as possible.
By partnering and being flexible in building IT risk management protocols and processes, both can notch a win. One way to create this flexibility is by establishing mutually accepted service-level agreements (SLAs).
4. Establish shared goals
Security and IT have common ground: Both want to keep the organization, users and processes running smoothly. So, it's vital to have IT and Security leadership align on goals and set key performance indicators (KPIs), dashboards and other metrics to track and reinforce them.
It's also important that an organization understands the implications of instituting strategic goals so that any impacts on product, process and people are known before those goals are locked in.
5. Lend a helping hand
Sharing administrative resources, technical expertise, and tools between Security and IT teams can reduce costs and boost collaboration. For instance, if Security borrows IT tools, policies, and processes for their use cases, they should offer something in return.
Shared tools, dashboards, and reports create a context for both teams to understand each other's worlds, building empathy and trust.
Considering the threats now at large to corporate digital networks, that kind of collaboration is critical.