Turning GRC into a Competitive Advantage: IT Risk Management

IT risk management programs do not typically generate revenue but they can impact the bottom line. Sam Abadir, LockPath’s Director of Product Alliances, explained in a recent webinar how one IT risk team became a critical component of its organization using a GRC solution to solve big, expensive problems.

Disparate Data Throughout the Business
Being a large, international company made this organization a prime target for infrastructure attacks. Threat detection feeds and vulnerability scans provided valuable intelligence, but the challenge was what to do with the information. The organization had difficulty understanding what to prioritize at the IT level, how to manage the information at the IT level, and how to explain and justify security expenses to the board.

The team lacked understanding of how critical vulnerable assets were to the company if they were compromised.  Additionally, IT did not know if vulnerabilities were new or had already been reported. This made it difficult to prioritize vulnerabilities.

To get ahead of threats and to harden or monitor systems, this company bought a threat monitoring service.  This subscription delivered hundreds of threats daily by email, all in PDF form. Reading and assessing the applicability of threats was time-consuming and nearly impossible to complete before the relevant assets could be secured.

IT was challenged to manage vulnerabilities and threats, to better prioritize threats to the business and to justify the high costs of these tasks to management.

Business Operations Supported by Technology
To solve these issues, the company looked at its asset base to understand which ones supported which business processes, and how the business prioritized those processes.  In short, IT needed to:

  • Identify how the operations of the company created value.
  • Identify which assets supported which operational processes.  (This provided the direct tie between assets and value created.)
  • Identify and quantify the value of operational risks.

This mapping and risk identification laid out the plan for explaining IT risks in business terms.

IT worked with the business to identify the processes the organization supported and their value.  IT then mapped IT assets and supporting information to the processes.  This helped IT understand how much was at stake when a threat or vulnerability was discovered on a supporting asset.  This enabled IT to prioritize threats and vulnerabilities based on business operations, not just severity.

IT and Business Data are Inputs to Risk Management
Managing this data was another logistical nightmare that could have added more cost, more time, and more uncertainty because of how often it changed.  The increased amount of data only multiplied the number of questions the team had about its data and threats.

That is where a Governance, Risk and Compliance (GRC) platform came in.  GRC takes metrics and inputs from across the business, from third parties and from IT scanning tools.  The Keylight® Platform, this company’s chosen GRC solution, automatically correlates this information and helps users prioritize threats and vulnerabilities. In addition to data management, GRC tools can manage the messaging of information to different parts of the company with fewer resources.

IT Risk Management Across the Organization
Today, this company is able to automatically collect and manage data from across the business.  

IT can identify risks and metrics efficiently. The Keylight Platform takes that information and presents it to people throughout the organization. Data is measured and analyzed in the platform and reported to IT operations, to IT and Business Management, and to the C-Suite, Board of Directors, and Audit Committees.

The Keylight Platform helps the company’s management understand the effectiveness of front-line operations. Instead of talking about vulnerabilities, threats, configurations and SIEM alerts, Keylight instantly transforms and communicates those messages to management through a narrative of specific business impacts, potential process slowdowns or stoppages, and dollars at risk. With Keylight, management has the best information at the right time, allowing for efficient and informed development of strategy to protect the organization from IT threats. Furthermore, such efficiencies often allow organizations to better focus their resources on value-creating activities.

The IT team uses the same data to inform the right people of risks, opportunities and issues, using relevant metrics to efficiently manage risk.  Coordinated and timely messaging keeps the business spending focused on creating value instead of reacting to aging problems.  All this has led to the business giving higher respect to the the IT team, as well as higher priority to its IT budget.

For more information on turning GRC into a competitive advantage, watch the full webinar here.

Related Articles