Bridging the Gaps Between Risk Management in Theory and in Practice

Risk management is one of the most commonly used terms in Information Security. In fact, many security professionals describe the most important aspect of their job as “risk management” or “risk assessment.” Risk management is a broad term. Many frameworks and codes of practice define it as, “the control of adverse events to an acceptable level of loss exposure.” Simply put, risk management is an organization’s best effort to prevent unauthorized parties from accessing valuable assets and resources.

While the definition and scope of risk management are wide-ranging, effective risk management is a product of taking a very specific set of measures. Without tailoring risk management efforts to meet our precise needs, we are left with generic “best practices” that may or may not be effective in a given scenario. These nonspecific practices are what lead to the gaps between risk management theory and risk management practice. Below, we have briefly described three common risk management gaps. For a more detailed look at these gaps and how to avoid them, you can read our source article entitled 4 Areas Where Infosec Facts and Fiction Clash: Mind the Gap Pt. 1 by Ray Pompon, Principal Threat Research Evangelist with F5 Labs.

Gap: Incomplete risk management
An alarmingly low number of security professionals consider asset management, or asset inventory, to be an important security process. Many even rank it as the least important control. Not surprisingly, a majority of security professionals report having low confidence in their inventory. We cannot protect our assets, if we do not know what they are. An organization’s risk management will certainly be lacking if they are without this very basic information.

Gap: Biased risk appraisal
Prevalent articles with over-zealous headlines often magnify the amount of risk actually posed by “Advanced Persistent Threats” (APTs). APTs were ranked as the top threat by security professionals. Most industries, however, are not even targeted by APTs. The greatest risks to almost all organizations are actually considered commonplace in the Information Security industry: web application attacks and credential theft. Though these risks are not nearly as sophisticated as APTs, they must be adequately guarded against in order to prevent them from occurring.

Gap: Misaligned risk mitigation
Due to factors such as the biased risk appraisal noted above, some cyber security professionals’ processes do not align with what is really going on. An overwhelming majority of security professionals consider traditional firewalls and anti-virus software to be the most important technical controls. While certainly important, these controls do not adequately protect against web application attacks. Additionally, DDoS was ranked as the second greatest security threat (behind APTs), but very few organizations actually utilize anti-DDoS defenses. It is crucial to not only correctly identify the risks, but to then take the right steps to prevent them.

Vandis, through our partnerships with industry leaders like F5 Networks, can help to bridge any gaps in your organization’s risk management procedures. Call us at 516-281-2200 or e-mail info@vandis.com so we can discuss strategies to customize your risk management.