This is the first post in a three-part series on Agile Risk Intelligence. The complete Agile Risk Intelligence e-book is now available.
Security executives have always embraced the challenging task of protecting the organizations’ users and assets. It’s a thankless job against a faceless enemy, but that’s always been part of the deal. However, today it seems like the objective has become mission impossible (or at least mission immeasurable).
We’ve invested in a set of tools and capabilities that are grounded in an old reality: one of fixed network perimeters and standardized compute environments. We have built to defend against primarily network-driven attacks carried out by solo adversaries. Unfortunately, many of our security investments are now like the guards in front of Buckingham Palace, ornate pieces of “security theater,” which at the end of the day deliver deterrence and protection against the most rudimentary of today’s threats. And while we are busy upgrading to the “next gen” versions of these tools, they still offer fundamentally reactive protection, which depends on the “expert” knowledge of those building signatures and policies.
In response to this, we’ve deployed new and more modern and proactive approaches to risk management. We’ve deployed vulnerability scanners at every level of the stack. We’ve mapped our network to try to understand attack paths. We’ve invested in new mobile security management products to try to reign in the explosion of new devices and types connecting into our network. We’ve built processes and tools to understand the attack surface and proactively manage it.
However, in a classic example of watch-out-for-what-you-ask-for, we now find our teams buried in data. Thousands of vulnerabilities with ever escalating and uncertain severity. Disconnected “fix and patch” tools. Lack of context and overall insight into what this data means and how much risk it indicates. This leaves us scratching our head on the most fundamental of questions like:
- Is my risk profile lower today than yesterday?
- Am I protected against the threats that are active NOW, and not just on my network, but also out in the wild?
- Am I prioritizing based on some “expert” opinion, or acting on real data driven insight?
- Am I effectively closing the loop between planned and actual risk mitigation?
And at the end of the day, the most important strategic question of all is: “Am I getting the best protection and risk reduction for my level of security investment?” In order to win in today’s world—a world where the perimeter is gone and the bad guys are highly networked, wicked smart, and use the latest in social computing and engineering to win—we need a new approach to IT risk management. Risk I/O calls this “Agile Risk Intelligence.”
Agile Risk Intelligence enables security management teams to respond more rapidly, proactively and efficiently to real unperceived threats and risks through new, powerful and actionable insights into IT and business risk. It adds context to data, delivers insight and closes the loop between insight and action. By taking advantage of advances in big data analytics, correlation models and tools, and connecting organizations with each other through networked data sharing, Agile Risk Intelligence is now within reach of security management teams.
However, today, organizations must bridge five gaps in order to move from today’s capability to an agile one. These gaps are: 1.) Lack of Risk Context 2.) Lack of Global Risk Visibility 3.) Lack of Closed-Loop Processes 4.) Lack of a Time & Resources and 5.) Lack of Toolsets. In my next blog post, I’ll explore these gaps in more detail.