August 12, 2016 By Ayman Hammoudeh 4 min read

Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.

Risk Management More Important Than Ever

It can be easy to deploy security technology and think you’ve mitigated risk to your business. But sadly, technology investment is no guarantee of protection against the latest threats.

Studies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents. According to the recent “2016 Cost of Data Breach Study” from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.

Managing risk can help to mitigate this cost. The shift to a risk management approach has been brewing for some time, according to the CISO Insights Study. Security leaders are realizing that simply checking the box to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.

Below are some more key takeaways on risk programs:

Compliance Is Just One Factor

Compliance doesn’t go away entirely, even in a risk-based program. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements. It’s a change in language, and the moment when everyone understands the difference is transformational for the entire organization.

Risk Tolerance Evolves Over Time

An assessment plan and risk profile is expected to change over time. It is also difficult for organizations to properly assess risk before encountering a problem. However, frequent conversations about what department heads and senior management are comfortable with promotes risk awareness across all lines of business.

Making Risk Management Work

Risk management breaks down into three distinct areas: strategic, tactical and operational. As organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.

Explore Risk Assessment Methodologies and Tools

Security teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one. Frameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs.

Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.


Figure 1: NIST Framework (Source: NIST)


Figure 2: Adopted Frameworks (Source: Wisegate IT)

Transform Your Security Program

IBM outlined 10 essential practices for a stronger security posture. These practices will be assessed based on a maturity level basis:


Figure 3: 10 Essential Practices (Source: IBM)

Aligning the above to a maturity model offers a prescriptive assessment of your company versus best practices.


Figure 4: Capability Maturing Model (Source: IBM)

Security services help clients optimize their security program with skills to address modern risks. Organizations can access the right skills, reduce complexity, gain access to global threat intelligence, build secure connected systems, and modernize existing security programs across their people, processes and technology with management consulting, managed services and systems integration.

At IBM, this service is built on six competencies:

  • Security Strategy, Risk and Compliance: Automating governance, risk and compliance programs;
  • Security Intelligence and Operations: Building and managing security operations and security fusion centers;
  • Cybersecurity Assessment and Response: Establishing robust security testing and incident management programs;
  • Identity and Access Management: Modernizing identity and access management for the cloud and mobile era;
  • Data and Application Security: Deploying robust critical data protection programs and establishing application security throughout the life cycle; and
  • Infrastructure and Endpoint Security: Redefining infrastructure and endpoint solutions with secure software-defined networks.


Figure 5: Continuous Monitoring to Facilitate Risk-Based Decision-Making (Source: IBM)

A Business-Driven Approach To Security

It’s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort. A risk-based approach doesn’t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance. Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.

As an organization secures its business processes, a business-driven approach needs to become the guiding influencer to ensure that all the different security domains work together in a holistic manner in alignment with the business objectives. Otherwise, the organization’s risk stance becomes vulnerable due to misalignment of priorities between IT and the business strategy.

Aligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business. Too many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks. Leveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.

Read the Full Report: CISO insights on moving from compliance to risk-based program

More from CISO

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today