Overcoming Resource Barriers to Risk Quantification Using Technology
A common obstacle to risk quantification is the difficulty of managing large volumes of data using spreadsheets and configuration management databases. AuditBoard’s ITRM: The Promise and Challenges of Risk Quantification, explores how technology can enable IT security teams to begin quantifying their risks with greater efficiency and accuracy. Download the full guide here, and continue reading to learn how InfoSec teams can overcome common resource challenges to risk quantification.
Utilizing Technology to Jump-Start Risk Quantification
Organizations are taking advantage of connected IT risk management technology to kick-start their risk quantification efforts. While technology can introduce efficiencies to risk quantification, some InfoSec teams may feel hesitant to advocate for investment in new technology while managing other important projects. A compelling argument for leveraging technology in your risk quantification efforts is that your existing resources — typically, spreadsheets and configuration management databases (CMDBs) — may be holding you back. For example, there are drawbacks associated with these standard methods of IT asset management, including:
- CMDB data tends to be an incomplete or inaccurate reflection of the actual IT risk environment because the database does not track asset data as it changes in real time.
- Difficulty converting data in a CMDB file into a standardized value system that measures risk, leading to difficulty ranking risks and communicating their criticality to the business.
- Infosec databases may not be integrated with the business’s enterprise-wide risk database, resulting in risk data that is neither complete nor wholly reliable.
This environment creates disadvantages that further limit InfoSec’s ability to mature the scope of its risk assessment efforts, including:
- Difficulty identifying and assessing risks for a quickly evolving and complex information system landscape. This hinders the business from prioritizing risk mitigation efforts and maximizing resources for its most pressing risks.
- Inability to demonstrate risk exposures and how key information systems are protected. This affects leadership’s ability to allocate investments and resources to reduce the organization’s risk exposures.
- Risk management is not embedded within asset management. As a result, system owners may not fully understand the risk impact that their systems have. This makes it challenging for InfoSec to collaborate with system owners to assess and remediate risks.
- Inability to see how information security risks are trending over time. This also makes it challenging to demonstrate how mitigation investments have tangibly reduced risk for the business.
Overcoming Resource Barriers to Risk Quantification
Selecting the right technology can help InfoSec teams organize and streamline aspects of risk quantification and automatically connect the dots between their data. According to PwC, 75% of organizations are planning to increase spend across data analytics, process automation, and technology to support the detection and monitoring of risks.
Consider starting by migrating your IT systems data into a single source of truth, ideally a platform that is cloud-based and able to integrate with other information systems and business applications. This key step will enable InfoSec teams to better organize their business’s risk quantification data, facilitating risk prioritization and the deployment of risk management efforts. Moreover, a cloud-based system will reflect any new changes to your InfoSec environment that are logged, leading to a more accurate and reliable picture of your business’s information system environment and its risks as they evolve.
Ideally, the more efficiencies introduced by technology, the more risk quantification work you can perform. Ultimately, the more data you can retrieve using technology, the more efficiently you can improve your feedback. Download the full guide, ITRM: The Promise and Challenges of Risk Quantification, here.