Translating IT risk to business risk: Symantec adds Risk Manager to IT GRC suite

By | February 14, 2012

Posted in: Network Security Trends

IT governance, risk and compliance (GRC) is a challenge to every large organization struggling with the complexity of IT policies and controls and communicating IT risk to management in terms of actual risk to the business. The IT GRC market has appeared and grown in recent years as enterprises try to manage this almost unmanageable task across disparate systems, applications, business units etc. The goal is to cut through the overwhelming mass of data and endless “to do list” in large, usually highly distributed enterprises, establish clear priorities based on business risk management principals. The best performing organizations will, in theory at least, be well positioned to identify and address their most pressing security issues and maintain compliance with multiple regulatory requirements in a sustainable security program. This encompasses implementing and managing policies and their supporting controls, preparing and executing audits, and prioritizing  remediating risks.

Mature companies have some sort of enterprise-wide GRC programs, but these typically involve manual, redundant processes, using spreadsheets, SharePoint etc. As Michael Rasmussen, president of Corporate Integrity, has said, “Spreadsheets are a recipe for disaster.” Paper systems, he says, are unmanageable and suffer from the absence of audit trails.

That’s where IT GRC products, such the latest release of Symantec Control Compliance Suite (CSS), just announced, come in. These products help automate GRC, enabling enterprises to create and distribute policies and controls and map them to regulations and internal compliance requirements.  Significantly, IT GRC tools give enterprises a fighting chance at a continuous and sustainable program: They can confirm that their controls are in fact implemented and functional, and remediate them if they are not working, require updating or prove ineffective and needed to be replaced with alternative controls.

IT GRC reduces redundant compliance efforts by allowing enterprises to map policies and controls to multiple security/regulatory requirements, streamlining implementation, monitoring, reporting and audit. They reduce redundancy and inefficiency, and put security managers in a position to prioritize efforts based on risk. (See my CSO Toolbox report, “IT GRC Tools: Control Your Environment.”)

Translating IT risk into business risk is the focal point of the Symantec CCS 11.0 release. The major enhancement is introduction of the Risk Manager module, which is designed to repair the disconnect between CISO types and management. (Symantec cites 2011 data from the Security Risk Executive Council on the effectiveness of CISO reporting to senior executives: only 12% say their reporting is influencing executive decisions. The rest either are being listened to, aren’t understood or simply don’t report regularly to management.)

The core of the Risk Manager approach is the creation of virtual business assets. In IT, we generally think of assets as very discrete entities: A particular web application server or the app itself, a customer database, a perimeter firewall, a switch or a router. The Risk Manager module of CSS works on the premise that any grouping that is significant to the way the business works can be regarded as an asset. So, for example, an asset can be a critical business process, such as transaction or credit card processing, or grouping of resources supporting online retail. Risk Manager pulls together all the components that are key to the security of the virtual business asset: databases, servers, applications, network and security devices and software and roll them up into a collective risk assessment.

From this perspective, the individual IT assets can be rolled up collectively, so the security managers can determine the risk to the business function and prioritize remediation and distribution of resources accordingly. The dashboards give you several views of risk status, allowing assignment of an acceptable risk threshold and acting accordingly based on how far the threshold is exceeded and the criticality of the asset to the business. The risk level can be monitored over time to determine if it is improving or growing worse.

In addition to Symantec, leading companies that are most clearly identified as IT GRC include Agiliance, Modulo, RSA Archer and Rsam, but there are wide differences among these products. If you are in the market for IT GRC help, spend time defining your requirements and matching them against the capabilities and focuses of the various tools.

You May Also Be Interested In: