August 12, 2016 By Ayman Hammoudeh 4 min read

Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.

Risk Management More Important Than Ever

It can be easy to deploy security technology and think you’ve mitigated risk to your business. But sadly, technology investment is no guarantee of protection against the latest threats.

Studies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents. According to the recent “2016 Cost of Data Breach Study” from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.

Managing risk can help to mitigate this cost. The shift to a risk management approach has been brewing for some time, according to the CISO Insights Study. Security leaders are realizing that simply checking the box to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.

Below are some more key takeaways on risk programs:

Compliance Is Just One Factor

Compliance doesn’t go away entirely, even in a risk-based program. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements. It’s a change in language, and the moment when everyone understands the difference is transformational for the entire organization.

Risk Tolerance Evolves Over Time

An assessment plan and risk profile is expected to change over time. It is also difficult for organizations to properly assess risk before encountering a problem. However, frequent conversations about what department heads and senior management are comfortable with promotes risk awareness across all lines of business.

Making Risk Management Work

Risk management breaks down into three distinct areas: strategic, tactical and operational. As organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.

Explore Risk Assessment Methodologies and Tools

Security teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one. Frameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs.

Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.


Figure 1: NIST Framework (Source: NIST)


Figure 2: Adopted Frameworks (Source: Wisegate IT)

Transform Your Security Program

IBM outlined 10 essential practices for a stronger security posture. These practices will be assessed based on a maturity level basis:


Figure 3: 10 Essential Practices (Source: IBM)

Aligning the above to a maturity model offers a prescriptive assessment of your company versus best practices.


Figure 4: Capability Maturing Model (Source: IBM)

Security services help clients optimize their security program with skills to address modern risks. Organizations can access the right skills, reduce complexity, gain access to global threat intelligence, build secure connected systems, and modernize existing security programs across their people, processes and technology with management consulting, managed services and systems integration.

At IBM, this service is built on six competencies:

  • Security Strategy, Risk and Compliance: Automating governance, risk and compliance programs;
  • Security Intelligence and Operations: Building and managing security operations and security fusion centers;
  • Cybersecurity Assessment and Response: Establishing robust security testing and incident management programs;
  • Identity and Access Management: Modernizing identity and access management for the cloud and mobile era;
  • Data and Application Security: Deploying robust critical data protection programs and establishing application security throughout the life cycle; and
  • Infrastructure and Endpoint Security: Redefining infrastructure and endpoint solutions with secure software-defined networks.


Figure 5: Continuous Monitoring to Facilitate Risk-Based Decision-Making (Source: IBM)

A Business-Driven Approach To Security

It’s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort. A risk-based approach doesn’t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance. Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.

As an organization secures its business processes, a business-driven approach needs to become the guiding influencer to ensure that all the different security domains work together in a holistic manner in alignment with the business objectives. Otherwise, the organization’s risk stance becomes vulnerable due to misalignment of priorities between IT and the business strategy.

Aligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business. Too many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks. Leveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.

Read the Full Report: CISO insights on moving from compliance to risk-based program

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today