We’re moving from a philosophy of “security knows best to security needs to know better about the business before it can know what to do,” said John Pironti (@jpironti), President of IP Architects, LLC.
Pironti knows best about this subject as he curated the risk management track at Interop in Las Vegas this year. In between sessions I spoke with Pironti as to what has changed over the past year with regard to risk management.
Pironti stressed the need for a data focused approach. You can’t be everywhere, doing everything, but if you can understand what could happen, why, and when, and apply metrics to it, then you can take logical approaches to understanding business impact.
Security used to get by just knowing threats. That’s not enough anymore, explained Pironti. You have to know threats, risks, the viability of them happening, and then their impacts to the business.
“If this situation was going to happen, what would it mean,” asked Pironti. How would it actually affect the business? Once you have that knowledge, and specifically data to back it up, you can build security models based on that. It’s a more symbiotic relationship that the business can embrace, not run away from.
Stock photo of risk management egg courtesy of Shutterstock.