Know Your Enemies – Assess and Manage Your Risk

Stephen Nardone

Any competent IT professional will tell you that one of their top priorities – probably the top priority – is securing their enterprise’s data and network. Indeed, CIOs typically allocate a healthy chunk of their overall IT budgets to security.

Concern, however, does not always translate into competence, or even common sense. Further, throwing money at a problem without first properly assessing and prioritizing an enterprise’s unique IT-related risks actually can create greater vulnerability. You can’t just buy technology, put it in your environment, and assume that your assets are safe.

Enterprise IT is constantly changing. As new technologies enter the enterprise – mobile devices, cloud storage, Web apps and more – they bring with them new and often unique vulnerability challenges.

To avoid the predictable dangers of this “set it and forget it” mindset in an era of dynamic change, it is imperative that IT professionals conduct a thorough risk assessment as the first step toward a sound security strategy.

That means 1) determining the types of threats that pose the most danger to the enterprise, 2) mapping where valuable data exists in the network (or cloud) and how it can be accessed, and 3) locating main points of vulnerability. The latter can be accomplished through penetration testing.

Once a comprehensive risk assessment is completed, risk can be measured against existing policies and procedures. This reality check is the starting point for enabling IT professionals to develop specific, customized security policies and roadmaps that takes into account physical security, access to network-based digital assets, business continuity and emerging technologies.

The best IT security strategies are useless without proper implementation and execution. Enterprise security that can neither detect nor react to threats in a timely and effective manner is no security at all.

Beyond that, IT professionals must understand that risk assessment and security management are ongoing processes, as well as building blocks for strong security profile. To help protect their enterprises’ critical assets, IT professionals should consider partnering with a managed security services provider that can guide them through the threat life cycle on a continual basis.