Managing Digital Risk

Few areas of information security are as misunderstood, or as critical to understand and employ, as digital risk management. Some organizations see it as an information technology (IT)-only issue. Others view risk management as relevant to everything but IT.

But the truth is that digital risk management is one of the most important components of an effective information-security program. For many industries, including the legal profession, digital risk management is also an integral part of a business' strategy aimed at enabling revenue while reducing risk for clients and law firms.

And, for organizations involved in e-commerce, digital risk management can make the difference between futility and fortune.

Finding the Balance

The objective of all information-security programs is to protect the integrity of a company's most precious asset ' its information. By safeguarding this asset through an information-security program, organizations also defend their missions against IT-related risk.

But managing or mitigating risk is not the same as eliminating risk. To eliminate risk, organizations would likely have to disrupt the balance between information security and information availability. Information that is not secure cannot be trusted, and information that is not available is useless.

Digital risk management aims to put in place and maintain the appropriate technologies and processes to help ensure that information remains available and secure. Doing so enables the organization to make better decisions that keep businesses up, running and growing.

Why Now?

As organizations have become more reliant on technology to make the most of the value of their information, the landscape of potential and harmful threat has become increasingly menacing. According to a recent Internet Security Threat Report from Symantec Corp., the motivation from threats is shifting from hacker notoriety to economic gain. This is made apparent by the prevalence of threats such as spam, pharming, phishing, identity theft, fraud and intellectual-property theft.

The number of severe, easy-to-exploit, remotely exploitable vulnerabilities is also on the rise. During the last half of 2004, 54 new vulnerabilities were discovered per week. What's more, 97% of those vulnerabilities were rated moderately or highly severe, 70% were considered easy to exploit and 80% deemed remotely exploitable.

That's no secret to attackers, who are exploiting vulnerabilities at breakneck speeds. Today, the average time between the disclosure of a vulnerability and the emergence of an exploit is only 6.4 days. That gives already overworked IT administrators less than a week to identify vulnerable systems, and to deploy patches or countermeasures.

IT Challenges

In addition to keeping a close eye on threats and vulnerabilities, organizations must also address three common challenges associated with IT: cost, complexity and compliance. With more systems and applications being deployed, more security vulnerabilities being discovered, and with more users to serve, the cost of delivering IT services is growing exponentially.

Consider this point, too: Today's operating environments are extremely complex and can include offshore providers, data centers, desktops, laptops, and handheld devices that run on a broad range of platforms and use a diverse array of applications over wired and wireless networks.

In addition, a wide variety of industry and government regulations are in place, with additional standards being considered. These compound existing cost and complexity challenges, and focus greater importance on risk management.

The Information Lifecycle

Digital risk management includes the identification, analysis, control and reduction of the negative consequences associated with certain events. Because digital risk management is an essential part of an information-security program, it must be completely integrated into the information lifecycle. There are five phases of this lifecycle (see, Fig. 1, below):

Information passes through each of these phases as the organization, partners and customers use it. For example, a customer creates information when he or she enters contact and purchasing information into an e-commerce Web page. That information transitions into the transfer phase of the information lifecycle when the customer electronically sends it to the e-tailer. This customer data is then viewed by those involved in completing the purchase and sale. The customer account information then passes into the storage phase, where it is saved on a database. Finally, after a specified period of time, the same customer information is destroyed, because it is no longer needed.

Risk management must be performed for each phase of the information lifecycle. The good news is that the risk-management process remains the same, regardless of the phase of the information lifecycle it is associated with (see, Fig. 2, below).

Because risk management and information integrity are critical aspects of a profitable business, several key people should be involved in and support the risk-management process. While IT personnel play a vital role in implementing the controls to safeguard information assets, risk management also requires the participation of key executives and senior management, as well as business and function managers.

Assessment and Mitigation

Risk management begins with an assessment of information assets and the IT environment that supports them, as well as an evaluation of potential threats and vulnerabilities, and their likelihood and possible impact.

Information assets can fall under a number of categories ' from intellectual property to corporate financials, employee data and customer information. Likewise, IT environment-related information can fall under various headings:

• The IT infrastructure, including networks, systems, routers and the like;
• Applications;
• Operations, including people, processes and policy; and
• Third-party providers with whom the organization shares some of its information.

Armed with this information, organizations can prioritize, evaluate and implement controls for mitigating risk. In the past, this meant deploying point solutions to protect different areas of the IT infrastructure. Unfortunately, this approach is no longer appropriate.

To ensure the security and availability of critical information and effectively manage risk, organizations must work to build a more integrated management environment that creates a resilient IT infrastructure ' one that is flexible enough to respond to a changing IT environment but rigid enough to withstand attacks or disruptions.

To build this infrastructure, organizations must tie security together with systems, device, storage and network management. With such an infrastructure, the organization is able to leverage external threat intelligence with internal insight about the IT infrastructure to automatically respond to fast-moving threats by taking appropriate protective measures.

This new approach to infrastructure management enables key systems to communicate with one another when a threat appears on the horizon, triggering audits to pinpoint vulnerable systems, prompting more frequent incremental backups to preserve data, automatically updating unprotected devices, and more. The result is not just the preservation of the integrity of business-critical information. Organizations can also leverage this resilient infrastructure to better mitigate risk, improve decision-making, maintain business continuity, and increase profitability and growth.

Few areas of information security are as misunderstood, or as critical to understand and employ, as digital risk management. Some organizations see it as an information technology (IT)-only issue. Others view risk management as relevant to everything but IT.

But the truth is that digital risk management is one of the most important components of an effective information-security program. For many industries, including the legal profession, digital risk management is also an integral part of a business' strategy aimed at enabling revenue while reducing risk for clients and law firms.

And, for organizations involved in e-commerce, digital risk management can make the difference between futility and fortune.

Finding the Balance

The objective of all information-security programs is to protect the integrity of a company's most precious asset ' its information. By safeguarding this asset through an information-security program, organizations also defend their missions against IT-related risk.

But managing or mitigating risk is not the same as eliminating risk. To eliminate risk, organizations would likely have to disrupt the balance between information security and information availability. Information that is not secure cannot be trusted, and information that is not available is useless.

Digital risk management aims to put in place and maintain the appropriate technologies and processes to help ensure that information remains available and secure. Doing so enables the organization to make better decisions that keep businesses up, running and growing.

Why Now?

As organizations have become more reliant on technology to make the most of the value of their information, the landscape of potential and harmful threat has become increasingly menacing. According to a recent Internet Security Threat Report from Symantec Corp., the motivation from threats is shifting from hacker notoriety to economic gain. This is made apparent by the prevalence of threats such as spam, pharming, phishing, identity theft, fraud and intellectual-property theft.

The number of severe, easy-to-exploit, remotely exploitable vulnerabilities is also on the rise. During the last half of 2004, 54 new vulnerabilities were discovered per week. What's more, 97% of those vulnerabilities were rated moderately or highly severe, 70% were considered easy to exploit and 80% deemed remotely exploitable.

That's no secret to attackers, who are exploiting vulnerabilities at breakneck speeds. Today, the average time between the disclosure of a vulnerability and the emergence of an exploit is only 6.4 days. That gives already overworked IT administrators less than a week to identify vulnerable systems, and to deploy patches or countermeasures.

IT Challenges

In addition to keeping a close eye on threats and vulnerabilities, organizations must also address three common challenges associated with IT: cost, complexity and compliance. With more systems and applications being deployed, more security vulnerabilities being discovered, and with more users to serve, the cost of delivering IT services is growing exponentially.

Consider this point, too: Today's operating environments are extremely complex and can include offshore providers, data centers, desktops, laptops, and handheld devices that run on a broad range of platforms and use a diverse array of applications over wired and wireless networks.

In addition, a wide variety of industry and government regulations are in place, with additional standards being considered. These compound existing cost and complexity challenges, and focus greater importance on risk management.

The Information Lifecycle

Digital risk management includes the identification, analysis, control and reduction of the negative consequences associated with certain events. Because digital risk management is an essential part of an information-security program, it must be completely integrated into the information lifecycle. There are five phases of this lifecycle (see, Fig. 1, below):

Information passes through each of these phases as the organization, partners and customers use it. For example, a customer creates information when he or she enters contact and purchasing information into an e-commerce Web page. That information transitions into the transfer phase of the information lifecycle when the customer electronically sends it to the e-tailer. This customer data is then viewed by those involved in completing the purchase and sale. The customer account information then passes into the storage phase, where it is saved on a database. Finally, after a specified period of time, the same customer information is destroyed, because it is no longer needed.

Risk management must be performed for each phase of the information lifecycle. The good news is that the risk-management process remains the same, regardless of the phase of the information lifecycle it is associated with (see, Fig. 2, below).

Because risk management and information integrity are critical aspects of a profitable business, several key people should be involved in and support the risk-management process. While IT personnel play a vital role in implementing the controls to safeguard information assets, risk management also requires the participation of key executives and senior management, as well as business and function managers.

Assessment and Mitigation

Risk management begins with an assessment of information assets and the IT environment that supports them, as well as an evaluation of potential threats and vulnerabilities, and their likelihood and possible impact.

Information assets can fall under a number of categories ' from intellectual property to corporate financials, employee data and customer information. Likewise, IT environment-related information can fall under various headings:

• The IT infrastructure, including networks, systems, routers and the like;
• Applications;
• Operations, including people, processes and policy; and
• Third-party providers with whom the organization shares some of its information.

Armed with this information, organizations can prioritize, evaluate and implement controls for mitigating risk. In the past, this meant deploying point solutions to protect different areas of the IT infrastructure. Unfortunately, this approach is no longer appropriate.

To ensure the security and availability of critical information and effectively manage risk, organizations must work to build a more integrated management environment that creates a resilient IT infrastructure ' one that is flexible enough to respond to a changing IT environment but rigid enough to withstand attacks or disruptions.

To build this infrastructure, organizations must tie security together with systems, device, storage and network management. With such an infrastructure, the organization is able to leverage external threat intelligence with internal insight about the IT infrastructure to automatically respond to fast-moving threats by taking appropriate protective measures.

This new approach to infrastructure management enables key systems to communicate with one another when a threat appears on the horizon, triggering audits to pinpoint vulnerable systems, prompting more frequent incremental backups to preserve data, automatically updating unprotected devices, and more. The result is not just the preservation of the integrity of business-critical information. Organizations can also leverage this resilient infrastructure to better mitigate risk, improve decision-making, maintain business continuity, and increase profitability and growth.