In response to Gartner’s 2013 Global Risk Management Survey, which revealed that fear of attack is causing security professionals to shift focus away from disciplines such as enterprise risk management and risk-based information security to technical security, I have the following comments from Federico de la Mora, senior director, EMEA, at Tripwire:
“There are other angles for time spent on Risk Management and Metrics v. time spent on Technical Security. First, unless the organisation has a mature risk management process, the risk-based metrics and KPIs may be measuring the wrong technical indicators e.g. those that are easier to remediate or those than can be easily measured. As a result, there is a direct benefit in using software tools to automate the collection of and reporting on specific technical configuration items. Many security vendors provide out of the box configuration templates or benchmarks that can be customised to feed into the risk-based metrics and KPIs, once this data has been collected and correlated.
Second, risk management requires not only a good measurement process, but also a remediation one. Although many KPIs are measuring non-technical activities, it makes business sense for organisations to partly or fully automate the remediation of any relevant technical controls by leveraging technical security solutions. In overall, the more companies automate the measurement, remediation and reporting of the technology-related controls, the faster they can improve their security baseline and the lower the costs and resources required to manage security risk.
Finally, the deployment of technical solutions could benefit organisations by reallocating employees’ time from processes automated by software, to more complex processes that require manual intervention e.g. security training and awareness, GRC, and budgeting, to name but a few.”