Critical Remediation Often Dropped Due to Egos
San Ramon, CA — September 24, 2014 — Most corporations regularly go through an IT risk assessment either by choice or government mandate, but when egos get in the way, the most critical portion of the evaluation process is sometimes lost. In his recent blog "Take Leadership ACTION When Undertaking an IT Risk Assessment." Ryan Ward, CISO of Avatier, one of the nation's largest identity and access management companies, stresses that IT managers can spend too much time defending unearthed problems rather than leading the way to fix them.
"As soon as security professionals start making excuses for security deficits because of lack of funding, limited support from technical groups or other political issues, they become ineffective as information security leaders," Ward stresses. "Management must understand that every organization faces challenges with these issues, so the focus should not be on blame, but rather on continuous improvement regardless of the current state of security."
The blog points out that an effective IT risk assessment should identify both the positive and negative aspects of a security program rather than only the negative issues. Ward claims that some risk assessments spend the majority of time trying to identify every unique vulnerability and process issue across every tier of the environment. "While this provides a laundry list of things-to-do," he warns, "it is equally important to assess the full information security landscape against business needs and business risks so that a clear roadmap and strategy can be provided to improve. Without this approach, it is not possible to show where IT security processes and technology are excessive; just right; or below par."
Ultimately, assessing the state of information security is just one piece of the puzzle the blog concludes. A remediation plan should be incorporated with every IT Risk Assessment project since there are almost always observations of weaknesses to be addressed. Ideally, some form of security remediation activities should be built into a vendor's Statement of Work and an internal remediation project should be aligned to closely follow an IT risk assessment, Ward adds.
"If a follow-on remediation project is prepared at the onset of the engagement," he concludes, "there will be less reason to block support for remediation, since the commitment will have already been established."
Avatier is the identity management company designed for business users. We automate and unify enterprise operations by standardizing business processes with an IT store. Our IT service catalog creates a single system of record for access requests and IT audit.
Our easily extensible identity management system lowers operational costs and provides corporate governance visibility. Avatier automates workflow and compliance reviews to reduce IT governance risks.
Founded in 1997, Avatier is headquartered in the San Francisco Bay area with offices in Chicago, Dallas, New York, Washington DC, London, Munich, Singapore, Dublin, and Sydney. Our products operate globally for customers like Marriott, DHL, Halliburton, Starbucks and hundreds more. For more information, please visit www.avatier.com and follow @Avatier on Twitter.
Clarity Communications for Avatier
Direct: +1-415-963-4082 x101