View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
July 23, 2009

Security expert urges risk rethink

Focus on information risk not just on information security

By CBR Staff Writer

A change in mindset is needed among executives if enterprises are to deal with the challenges of information security, a top information risk strategist warned today.

“Security by compliance is no longer working,” said John Pironti, who is president of IP Architects and is one of the security professionals behind the Information Systems Audit and Control Association.

“The number and impact of security breaches have dramatically increased in the last couple of years, even though companies were in compliance with standards like PCI, GLBA, FFIEC, FISMA and others.” He said more input was called for from business executives, instead of organisations relying solely on security professionals and regulators to shape their security posture.

“We need to stop thinking about information security and start thinking about information risk management,” Pironti said.

Earlier in the year a report recommended that there should be a senior management team whose job it is to manage risk, and that that group should be prioritising risks, improving controls, and automating procedures. The team should also be continuously assessing controls and risks, leveraging technical controls, policies and IT change management and carrying out comprehensive reporting.

The outcome of this coordinated approach to risk should be fewer incidents of data loss or theft, lower levels of business downtime and fewer problems with regulatory audit in IT, the IT Policy Compliance Group (ITPCG) said in its report.

At ISACA’s International Conference today the body unveiled Risk-IT, a new IT enterprise risk management framework which will be publicly available as a free download in September.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The new Risk-IT guide will map out a framework for enterprises to help executives decide how best to identify, govern and manage IT risk. It includes proposals that give end-to-end guidance on how to manage IT-related risks, beyond purely technical control measures and security. The guide will also help IT staffs understand how they can capitalise on an investment made in an IT internal control system already in place to manage IT-related risk.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.