Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements. But compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.

Risk Management More Important Than Ever

It can be easy to deploy security technology and think you’ve mitigated risk to your business. But sadly, technology investment is no guarantee of protection against the latest threats.

Studies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents. According to the recent “2016 Cost of Data Breach Study” from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.

Managing risk can help to mitigate this cost. The shift to a risk management approach has been brewing for some time, according to the CISO Insights Study. Security leaders are realizing that simply checking the box to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.

Below are some more key takeaways on risk programs:

Compliance Is Just One Factor

Compliance doesn’t go away entirely, even in a risk-based program. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements. It’s a change in language, and the moment when everyone understands the difference is transformational for the entire organization.

Risk Tolerance Evolves Over Time

An assessment plan and risk profile is expected to change over time. It is also difficult for organizations to properly assess risk before encountering a problem. However, frequent conversations about what department heads and senior management are comfortable with promotes risk awareness across all lines of business.

Making Risk Management Work

Risk management breaks down into three distinct areas: strategic, tactical and operational. As organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.

Explore Risk Assessment Methodologies and Tools

Security teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one. Frameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs.

Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.


Figure 1: NIST Framework (Source: NIST)


Figure 2: Adopted Frameworks (Source: Wisegate IT)

Transform Your Security Program

IBM outlined 10 essential practices for a stronger security posture. These practices will be assessed based on a maturity level basis:


Figure 3: 10 Essential Practices (Source: IBM)

Aligning the above to a maturity model offers a prescriptive assessment of your company versus best practices.


Figure 4: Capability Maturing Model (Source: IBM)

Security services help clients optimize their security program with skills to address modern risks. Organizations can access the right skills, reduce complexity, gain access to global threat intelligence, build secure connected systems, and modernize existing security programs across their people, processes and technology with management consulting, managed services and systems integration.

At IBM, this service is built on six competencies:

  • Security Strategy, Risk and Compliance: Automating governance, risk and compliance programs;
  • Security Intelligence and Operations: Building and managing security operations and security fusion centers;
  • Cybersecurity Assessment and Response: Establishing robust security testing and incident management programs;
  • Identity and Access Management: Modernizing identity and access management for the cloud and mobile era;
  • Data and Application Security: Deploying robust critical data protection programs and establishing application security throughout the life cycle; and
  • Infrastructure and Endpoint Security: Redefining infrastructure and endpoint solutions with secure software-defined networks.


Figure 5: Continuous Monitoring to Facilitate Risk-Based Decision-Making (Source: IBM)

A Business-Driven Approach To Security

It’s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort. A risk-based approach doesn’t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance. Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.

As an organization secures its business processes, a business-driven approach needs to become the guiding influencer to ensure that all the different security domains work together in a holistic manner in alignment with the business objectives. Otherwise, the organization’s risk stance becomes vulnerable due to misalignment of priorities between IT and the business strategy.

Aligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business. Too many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks. Leveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.

Read the Full Report: CISO insights on moving from compliance to risk-based program

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…