Discover PerformanceHP Software's community for IT leaders // March 2012
Five steps to limit business risk
Effective risk management through true enterprise security intelligence starts with a simple process.
Limiting risk is a major touchstone of executive success, arguably as important as revenue growth. For today's enterprise, IT risk is everywhere: attacks, accidental breaches, compliance failures. IT executives need a broad perspective on risks to the enterprise.
That comprehensive view of your IT security stance is coming to be known as enterprise security intelligence (ESI). ESI moves away from ineffective, siloed security initiatives in favor of an integrated security framework for the entire organization.
"An important part of what ESI can do for a company is to encourage holistic, coordinated planning," says Alan Kessler, vice president for enterprise security at HP. "When you're consistently proactive about your security plans, implementing the methodology that will limit risk comes much more easily."
But elevating your perspective on IT security beyond "Are all my patches up to date?" requires a systematic approach to understanding the greater concept of business risk. Get there by following five basic steps:
Step 1—Assess your needs.
Inventory all assets that may require security and understand their overall importance to the business. As part of your assessment, categorize issues as high, medium, or low importance. With a low-risk asset, such as a blog, minimal security may be sufficient, whereas a web-based payroll application is sure to need robust security.
Step 2—Identify your objectives.
For each issue found during the assessment phase, identify the outcome you want. This process is especially important for mission-critical and high-risk applications. Do you need a kill switch that can terminate a process immediately? Do you need a real-time dashboard for monitoring security or are end-of-day reports sufficient?
Step 3—Research the possible solutions.For each issue, know which options are available to achieve the objective you've set. How will you get there? For example, if you need a firewall and an intrusion detection system (IDS), whom can you rely on to provide it?
Step 4—Test and evaluate the potential solutions.
Before you decide on a solution, perform a detailed pilot test. This is especially important if your new solution sits within the network and can potentially cause mission-critical outages. You should know ahead of time whether there are any business requirements that the target solution cannot address.
Step 5—Appoint specialists to shepherd the implementation.
You'll need to decide whether to manage the implementation in-house or hire professional services. Assess the skills of your IT staff and their available bandwidth. Meanwhile, request bids for managed services. Outside professionals bring focus and expertise to your project and can often provide training for in-house staff.
Lower risk, high reward
This sort of simple, strategically coordinated security assessment is an excellent springboard to ESI. Organizations that approach security and business risk in this way can expect to improve the effectiveness of security across the enterprise and limit all types of business risk.
To learn more about ESI and ways to limit your business risk, visit HPEnterpriseSecurity.com.