Thursday, December 2, 2021

How to make digital risk management part of a threat intelligence program

IT risk management is an essential element of the work of CIOs/CISOs. As the SANS Institute describes it, risk is the potential harm that may arise from some current process or from some future event.

“From the IT security perspective,” it goes on, “risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system.”

But a recent column by Adam Meyer, chief security strategist at SurfWatch Labs, suggests IT risk management should also a part of threat intelligence program and not a separate task from other work. In fact, he argues it should be called Digital Risk Monitoring and suggests it be fitted into a flow chart to better improve your thinking.

What questions need answering? Here’s a few: What’s the impact of a cyber threat on your brand and reputation? What risks are the third parties with whom you conduct business providing to adversaries as an opening into your organization?  What risks to your organization are associated by employee use of IoT devices?

Having thought of these and other risks, put them in a chart to better visualize the risks. For example, unauthorized access can lead to 1)data leakage and 2) data theft. Employee digital risk vectors include 1)social engineering, 2) identity and access management and 3) insider risk.  You’ll see a more detailed chart at his full column here.

“By including digital risk monitoring as part of your threat intelligence capability,” he writes, “you can better understand your most critical areas of risk and the possible avenues of approach for adversaries, how actor capabilities align with the opportunities you’re giving them and how to stay ahead of them.”

Meyer emphasizes that this process identifies IT as well as business risk.

“Understanding your digital risk is a key ingredient to the mix when crafting or adding to a threat intelligence program,” he argues. However, many organizations separate the evaluation of risk from threat intelligence.

Collecting data on risks is no different from collecting data on threats, Meyer believes. As threats get more sophisticated tt’s time at least for CIOs and CISOs to consider this approach.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News