Top 5 IT Risk Management Resolutions For 2014

ارسال شده توسط بابک بابکی | 28 Feb, 2014

As IT risk management and security professionals steel themselves for another year of high-profile breaches, increasingly sophisticated attacks and continued regulatory scrutiny on their controls, now may be the perfect time to re-examine risk management priorities. While every organization is unique, risk management pundits believe there are certain common initiatives that could stand more attention among many enterprises. The following five resolutions—listed in no particular order--are among the top ways that risk managers can take their practices to the next level in 2014.

Resolution #1: Improving Third-Party Risk Management
As news of more breaches and security incidents caused by third-parties make the news, enterprises and regulatory bodies alike are sharpening their focus on risks posed by vendors and partners entrusted with their data. According Andrew Wild, CSO of Qualys, he expects third-party risk management to be a key area of focus for IT risk professionals this year.

"The growing reliance upon third parties requires a mature third party risk management program to ensure risks are properly identified, assessed and managed," Wild says, pointing to new regulatory requirements such as the guidance issued for banking institutions by the U.S. Office of the Comptroller of the Currency. "However, even organizations with no regulatory or compliance program requirements for third party risk management face increased scrutiny from customers about third party risk management."

Resolution #2: Tune Risk Management For Greater Flexibility And Response
Targeted and stealthy attacks will continue to press security practitioners to change their methods to deal with them.

"The damage generated by those targeted attacks will be significant enough to drive further migration from static border protection and access control-based security programs, to dynamic programs that analyze new threats and risks on a daily basis and drive upgrades, updates and system changes," says Rich Dakin, chief security strategist for Coalfire.

This, of course, means that risk analysis needs to advance way beyond simple yearly risk assessments if risk managers are to make meaningful calculations that can drive decisions about IT infrastructure and processes. Not only should organizations be seeking better ways to feed real-time information into risk assessments, but they also should be seeking ways to more quickly adjust existing technology according to those assessments rather than simply trying to buy their way out of newly identified risks.

"Businesses often assume they need new controls to address subsequent risks, but often times they can adjust existing controls to address new risks," says Gerrit Lansing, director of consulting services for CyberArk Software.

Resolution #3: Use More Data To Assess Risks
Part of that push to a more evolved risk assessment involves better incorporation of data into the process. As important as questionnaires and the like may be to understanding processes and practices, data mined from security technologies and IT infrastructure are equally important to validate that the assumptions made when answering questions are truly valid.

"Many organizations do not utilize the facts and data that are present in their environment," says Amad Fida, CEO of Brinqa. "They miss the opportunity to analyze and correlate those responses with security data from their systems and controls they have in place."

[Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

Resolution #4: Collaborate With Business Users For More Pervasive Risk Management
The security elite have long preached the need for better alignment between IT security practices and the business. That starts first with increased collaboration in the risk-management process between risk managers and business users both inside and outside the organization, says Yo Delmar, vice president for MetricStream.

"Essentially risk, compliance, and security functions will have inputs from the first line of defense business users, suppliers, franchisees, and so on," Delmar says, explaining that means providing a risk management platform that supports widespread useage for these users. "Risk management will increasingly be tied with performance management and will be available at the ‘point’ of action for business users. For example, if a company is working with high risk vendors, it will not be enough to just do an assessment of the vendor regularly, but rather systematically tie performance indicators and negotiations for renewals to that vendor risk assessment directly."

Resolution #5: Balance Preventative Controls With Detective Controls
More organizations should resolve themselves to improve the balance between preventative and detective controls, Wild says.

"In the past, many companies almost exclusively relied on preventative controls, which is not 100% effective," he explains. "Because of this, the use of detective controls to ensure security incidents that aren’t prevented can be discovered, contained and remediated."

At the end of the day, this balance should be driven by a solid risk management-based security framework.

  Ericka Chickowski

6Fundamentals That Can Make You A Better Manager In 2014

ارسال شده توسط بابک بابکی | 3 Feb, 2014

When it comes to management, I’ve always been a bigger believer in fundamentals than fancy.  Sure, there’s nothing at all wrong with, say, presentation skills that spellbind an audience of thousands, but when it comes to operational effectiveness, chances are that will be determined by how well you execute fundamentals day in and day out.  In that spirit, here are 6 fundamentals that can make you a better manager in 2014.

1. Be open to new ways of looking at things - The best managers are flexible, adaptable, and closely attuned to their environment.  They’re always looking for opportunities.  Be a good listener.  Many of the best process improvement ideas routinely come from employees in the trenches, as they’re the ones closest to the actual work.  Rigidity is the enemy of progress.  Don’t be afraid to shift the paradigm and move away from, “This is the way we’ve always done it here.”

2. Expect excellence – Set high but not unattainable standards and expect your employees to meet them.   The best managers are ultimately not those who are “toughest” or “nicest,” but those who get the best results from people in their charge.  Once your employees recognize you have unfailingly high standards, that’s key data they won’t forget.  If your employees know you demand excellence from yourself, they’re more likely to find it in themselves.

3. Make sure your employees know – clearly – where they need to focus -  About those high standards just noted in point number 2… be sure your employees’ job objectives clearly reflect them. Well-conceived, measurable employee objectives are a manager’s best friend.   They move job performance from the realm of the subjective into – no surprise – the objective.   If created thoughtfully at the start of the year, objectives will be a valuable guide for both employee and manager as the year unfolds.

4. Protect your time as if it were gold (or perhaps Bitcoins?) – Time is an underrated but crucial management asset, essential to thoughtful decision making.   Managers are routinely pulled in too many directions.   I know I was, which often resulted in just getting stuff done…rushed work rather than optimized work.   The most effective executives I knew protected their schedules vigilantly.  They did what they needed to do, of course, but they prioritized well, delegated effectively, and left themselves with enough time to carefully think through what they most needed to.

5. Communicate regularly by providing meaningful feedback in real time – Sure, effective communication may sound a little trite, but that’s because its so fundamental to sound management.  Strong managers invariably are excellent communicators.  Providing ample feedback – both positive and negative – is a core skill.  Make yourself readily available to those you manage.  Be there, be present, be accessible.  Even if you’re managing remotely, you’re still easily reachable by phone, email, text, etc.  Better to be physically remote and easy to communicate with… than to be physically nearby but a distant communicator.

6. Don’t duck conflict, but deal with it directly and fairly – As any manager knows, the workplace environment is a fertile breeding ground for conflict.  Interpersonal issues, compensation, recognition, cost-cutting, layoffs, management-employee relations… there’s never a shortage of emotionally charged issues that can lead to conflict.  As much as it’s often tempting to look the other way, the best managers aren’t “conflict avoiders” – they address problems quickly and fairly.  Employees are keen observers; they note who takes action when needed and who doesn’t.  They respect managers who confront difficult situations, just as they’ll lose respect for those who chronically avoid them.

Management is a complex endeavor requiring a diverse skill set.

Mastery of  fundamentals provides a solid foundation on which to build everyday operations.

These are six basic ones, by no means an exhaustive list, but six reliable old ones to help get a new year off to a strong start.

 Victor Lipman