As security threats and IT risk management become boardroom-level discussions, security leaders are faced with a growing need to communicate and prioritize IT risks in business-relevant terms. They must be able to communicate the state of their constantly changing environment to a range of different stakeholders –C-level executives, business unit leaders, audit and IT operations – in terms that each group can understand and act upon.
Unfortunately many security leaders still struggle with these conversations. A 2011 report from the Information Risk Executive Council, highlight this challenge. They noted that even amongst best performing member organizations, only 1 in 8 CISOs (or 12%) felt that they could effectively influence business decisions.¹
conducted by Forrester Consulting on behalf of Symantec, set out to explore the reasons behind these communications challenges. Forrester asked a group of IT decision makers what changes to their IT risk management program would have the most positive impact on their relationship with business counterparts. Nearly half of respondents (47%) pointed to improvements in their ability to communicate the value of security and risk management in business terms. Over 40% called out the need for more timely and accurate data, or more frequent reporting of risk and compliance.
The latest release of Symantec’s IT Risk and Compliance offering, Symantec™ Control Compliance Suite 11 is designed to help address these complex challenges. It features a new Risk Manager module which allows IT security leaders to define a virtual business asset which they can then manage from an IT risk perspective. This virtual business asset could be their e-commerce site, credit card services group or transaction processing system. By grouping together all of the IT assets associated with this virtual business asset they can start to visualize and better understand the risk associated with it. So, for example, instead of sending the VP of Internet banking detailed reports on all of his vulnerability issues, now they can illustrate how these issues are causing the Internet banking business to exceed their IT risk thresholds. This facilitates a much more productive conversation all around.
Effectively reporting on IT risk requires security leaders to be able to tailor their data for different audiences. Control Compliance Suite 11 facilitates this by allowing them to customize dashboards with audience-specific risk metrics. For example, an executive-level dashboard could illustrate high-level metrics, such as IT risk scores across all business units. Security operations dashboards could drill down to examine technical details behind these risk scores. Dashboards for IT operations could outline detailed remediation plans with the ability to monitor risk reduction over time as scheduled remediation activities take place. These different dashboard views will provide different stakeholders with the information they need to make better decisions around IT risk.
- ¹ Information Risk Metrics, Measuring and Communicating Functional Performance, Information Risk Executive Council®, 2011