Risk and Compliance: The Yin and Yang of Security

Mushrooming industry and government mandates that govern IT security have led to a highly regulated environment and annual compliance fire drills. Compliance, however, does not necessarily equal better security.

We are reminded of this fact nearly every day when breaches make headlines. So what role should compliance and risk management play within an enterprise’s overall security equation?

The Downside of Compliance

Organizations that pursue a check-box mentality as part of a compliance-driven approach to security only achieve point-in-time compliance rather than improving the company’s security posture, which is dynamic and changes over time. This has been proven time and again.

Recently, progressive enterprises have begun to pursue a more proactive, risk-based approach to security. The goal in a risk-based model is to maximize the efficiency of an organization’s IT security operations and provide visibility into risk and compliance posture. The holy grail is to remain in compliance, reduce risk, and harden security on a continuous basis.

A number of factors are causing businesses to rethink the check-box approach to security and move toward a risk-based model. These include:

  • Federal Information Security Management Act (FISMA) of 2002.
  • Federal Risk and Authorization Management Program (FedRAMP).
  • Securities and Exchange Commission (SEC) Cyber Guidance.
  • Emerging Cyber Legislation (e.g., Cyber Intelligence Sharing and Protection Act).
  • Presidential Executive Order on Cyber Security.
  • The Council of Europe Convention on Cybercrime.

We are reminded of this fact nearly every day when breaches make headlines. So what role should compliance and risk management play within an enterprise’s overall security equation?

The Role of IT Security

It is commonly believed that vulnerability management will minimize the risk of a data breach. However, without placing vulnerabilities into the context of the risk associated with them, organizations can misalign their remediation resources. Often they overlook the most critical risks while only addressing “low-hanging fruit”.

This is not only a waste of money, but more importantly, it creates a longer window of opportunity for hackers to exploit critical vulnerabilities. The ultimate goal is to shorten the window attackers have to exploit a software flaw. Therefore, vulnerability management must be supplemented by a holistic, risk-based approach to security, which considers factors such as threats, reachability, the organization’s compliance posture, and business impact.

If the threat cannot reach the vulnerability, the associated risk is either reduced or eliminated.

Risk and Compliance: Security Bedfellows

An organization’s compliance posture can play an essential role to IT security by identifying compensating controls that can be used to prevent threats from reaching their target.

According to the Verizon 2012 Data Breach Investigations Report, 97 percent of the 855 incidents reported in 2011 were avoidable through simple or intermediate controls. However, business impact is a critical factor in determining actual risk. For example, vulnerabilities that threaten critical business assets represent a far higher risk than those that are associated with less critical targets.

Since compliance posture is typically not tied to the business criticality of assets, it does not enable an organization to prioritize remediation efforts. A risk-driven approach, which addresses both security posture/compliance and business impact, can increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

There are three main components to implementing a risk-based approach to security.

Continuous Compliance

Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation.

With continuous compliance, organizations can reduce overlap by leveraging a common control framework to increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.

Continuous Monitoring

Continuous monitoring implies an increased frequency of data assessments and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners.

In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.

Closed-Loop Remediation

Closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement.

By establishing a continuous review loop of existing assets, people, processes, potential risks and possible threats, organizations can dramatically increase operational efficiency while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment in security operations personnel, purchases of additional security tools).


Compliance mandates were never designed to drive the IT security bus. They should play a supporting role within a dynamic security framework that is driven by risk assessment, continuous monitoring, and closed-loop remediation.

Joe Fantuzzi is president and CEO of integrated risk management vendor Agilance. Torsten George is the company's chief product strategist.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels