Balancing different security priorities is not an easy task. Long gone are the days of defending an in-house data center from mischievous pranksters. Instead, cybersecurity has exploded over the past few decades into a multibillion-dollar industry with a myriad of best practices all competing for your cybersecurity team's attention and resources. To make this complexity more manageable, best practices have been developed to give your security team the focus required to prioritize the objectives that will have the most significant impact on keeping your digital business safe in this era of constant breaches and leaks. Integrated Risk Management, or IRM, is a system that organizes best practices and principles to help your business prioritize security objectives.
According to the commonly accepted definition from corporate security research firm Gartner, IRM is built atop six major principles:
- Stratyeg: Enable and implement a framework, including performance improvement through effective governance and risk ownership
- Assessment: Identification, evaluation, and prioritization of risks
- Response: Identification and implementation of mechanisms to mitigate risk
- Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise's risk response
- Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives, and the effectiveness of risk mitigation and controls
- Technology: Design and implementation of an integrated risk management solution (IRMS) architecture or an integrated risk management framework
And it's not just a matter of opinion - according to a public study funded by the offensive security giant FireEye, businesses with security strategies organized around IRM were 6x less likely to experience a breach in 2019, the most recent year for which such data was available. Other firms concur - the top law firm DLA Piper, fast-food giant A&W, and even Twitter use IRM principles to organize their team and figure out what to prioritize. Leveraging the accumulated wisdom of hundreds of industry leaders will beef up the effectiveness of your leadership by guiding you in setting up an effective strategy for your cybersecurity department. IRM enables you to make precisely that leap using a structure built on decades of hard-earned lessons from industry veterans. Conversely, by not taking advantage of it, you put yourself in a weak position in a world where your competitors will gladly power up their digital business with the critical edge provided by IRM. So don't miss outlet us guide you through each of the six principles, demonstrating how its advice is critical for the success of a digital business to more easily understand these principles and apply them to your own business.
Effective governance and leadership need to be allocated towards the long-term vision of the business's security culture. Chief among the concerns at this level is developing a working threat model upon which a strategy can be built. You will also want to work with other departments like HR to figure out how you will find the right talent to enable your business to foster new leadership and stay competitive in the current recruiting landscape. Specifically, with IRM, we want to strategize how to integrate our different security responsibilities and open up communication. In so doing, we prevent the duplication of work, but even more importantly, we acquire visibility by making sure security engineers can have their eyes on the work being done throughout the enterprise for possible risks. This has benefits even beyond security, as psychologists at the APA have found that context switching caused by developers needing to reconcile their work with duplication in other teams is a leading cause of unproductivity and procrastination.
You will want to analyze the specific weaknesses of your business so you can prioritize strengthening your defensive posture in those areas. Third-party pentests are an excellent way to begin figuring out where you're lacking in this regard. Another powerful resource is OWASP's free list of common weaknesses and vulnerabilities. You will likely be able to compare that to the defenses you already have so that you can figure out where you might be lacking. When assessing ourselves, the essential virtue is humility. No matter how well you're doing in your security posture, room for improvement is always there. Even top firms and FAANG companies experience breaches, despite the enormous sums of money and talent they throw at security. If it can happen to them, it can happen to you, so open yourself up to honestly look for weaknesses that undoubtedly exist.
How you respond to an incident is almost as crucial for the well-being of your company as preventing the incident, to begin with. For example, when MySpace was the king of the internet, bad publicity in the wake of the infamous 'samy' hack helped pave the way for the popularity of then-emerging competitor Facebook. So while it's better never to fall, you must know how to stand back up on your two feet afterward. So again, the key is communicated clearly to partners and clients affected by a breach, analysis of what went wrong and what happened once the attackers were in, and how you can apply mitigations to prevent the same kind of attack from occurring again at a later date. Often, when faced with the terrifying proposition of communicating a security failure to clients, business people are tempted to rely excessively on public relations officials to communicate. While such professionals have a place in giving clear, solid advice on what you need to say and avoid saying, it's essential to pass your communique by other technical teams, to avoid deflecting responsibility or saying something that will look foolish to a specific audience with profound knowledge of the topic. Of course, a quick pass by your legal department would also be in order.
Too often, we in the security industry confuse monitoring with merely setting up a Security Operations Center or setting up an IDS with some automated alerts. While these are significant first steps, monitoring as a strategy goes way beyond this. You will want to comprehensively analyze findings from internal audits to find how simulated intrusions could have been detected by the monitoring software you have set up. Furthermore, it's of paramount importance that when you develop a new threat model, you thoroughly review your monitoring strategy to ensure that the rules and alerts in place in your IDS are entirely in line with the priorities established by the threat model and that the engineers who work on the threat model be in close communication with the SOC team implementing monitoring solutions.
If you have a technical security team and think like most businesses, there's a good chance you already think a lot about what specific technical decisions to make so that your digital business can thrive and outcompete the rest. This principle suggests that you use an IRM framework or solution, either from the market or internally designed, to formalize these ideas and bake them into your company's security DNA. Consultants for IRM exist at all price ranges, but be aware that you get what you pay for. If you have a business-focused security expert in your company, there's a good chance they'll know how to find you the best deal on a good consultant specialized in implementing IRM in digital businesses. According to StackOverflow's annual developer poll, most developers prefer to work in newer, secure programming languages like Rust and TypeScript. So catapulting your company towards exciting, cutting edge, safer tech won't only prevent breaches, it will also make it easier to attract and retain top engineering talent, which is a keen advantage given the highly competitive state of today's hiring market. Securing a digital business is hard, but it doesn't have to be if you let IRM make it a bit easier. We sincerely hope that this brief article has improved your understanding of IRM and why it's considered critical in today's security landscape, especially for any business that is primarily digital in scope. As digital businesses continue to take over more sectors of the world's economy, security is becoming more central yet more complex, and these strategies can help you regain control over the ever-expanding scope and role of security.
The aspiration to survive as a digital business in today's crowded and highly competitive market depends on every advantage you can gain from. Old-school mentorship is valuable, but IRM can teach lessons from hundreds of industry leaders over decades. So let IRM be the secret weapon that thrusts any business ahead of the competition and safguard from malicious actors.