Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Less risk, more reward

Managing vulnerabilities in a business context.

By Paul Clark.

Network security can be both an organization’s saviour, and its nemesis: how often does security slow down the business? But security is something you can’t run away from. Today’s cyber-attacks have a direct impact on the bottom line, yet many organizations lack the visibility to manage risk from the perspective of the business.

Traditionally, network security revolves around scanning the servers for vulnerabilities, reviewing them and the risk to the server by drilling down through the reporting to assess how vulnerabilities could be exploited, and then looking at how those risks can be remediated. Looking at vulnerabilities in this technical context leaves a lot to be desired in terms of actual impact on the business.

These risks can be put into two groups. There is the security risk, which is about compromise. How can the network be compromised and what would happen if the vulnerability was exploited? What damage would be done, and what information could be lost? Assessing these types of risk is usually the domain of the information security team.

The second type of risk is operational: how the business is impacted by addressing the vulnerabilities. This area of security is usually managed by the IT team, who will plan downtime to patch or upgrade the server. But with planned downtime comes unplanned downtime too, as often a fix won’t go according to plan: and the fix itself can create a whole new set of issues for the network.

But it isn’t the network that runs the business, it is a platform to enable the business. So wouldn’t it be more valuable and practical to assess security from the perspective of a business application, which enables the business to run?

In fact, a 2013 survey by AlgoSec revealed that it is common among information security, network operations and application professionals to struggle with managing business critical applications effectively, because of the heavy workload, complexity involved and for them to just keep up with the evolving needs of the business. Nearly 50 percent of respondents would prefer to see vulnerabilities from a business perspective, and it is this piece that is missing when they are assessing risk.

A higher level of understanding

When you really think about what is at risk from the organization’s perspective, it isn’t the server; it is the application that relies on that server. Therefore, to assess security from the perspective of the business applications, you need to know which servers run which applications over them. Then, all the discovered and reported vulnerabilities on those servers are really vulnerabilities that will affect the application.

If you look at it from this view, that is, gathering the vulnerabilities at the server level and applying the vulnerabilities to the application level, another group of people becomes involved in the security risk assessment process. These are the business application owners such as HR, finance and sales.

The business application owners are able to add balance to the decisions made about risks posed to the network: between the risk of compromise, and that of planned and unplanned downtime. For, at this level, they are able to give input as to how important and business critical the application is, and what impact to the business there will be if staff, customers or third parties aren’t able to access it. So rather than being a pure IT and security decision, it becomes one with the business operations at the heart of it.

For example, an application that takes payments from customers could be deemed business critical as, without it running, the business grinds to a halt and ends up with frustrated customers that turn to the competition. With the involvement of the business application owners, not only does it empower them to own their risk, but it also enables much more informed decisions about the true priorities to the business for taking remedial actions.

By allowing business application owners to have their say, and by viewing threats to the business from the application level, security will not only protect the business, it will also help to optimise it. That’s a perfect balance of reduced risk, and greater reward.

The author

Paul Clark is AlgoSec’s regional director for UK, Ireland, South Africa and the Middle East.

•Date: 17th March 2014 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here