Redefining risk management

With a Risk Operations Center (ROC), leaders can proactively crack down on cyber risks instead of simply reacting to them

The words "Redefining risk management" against a blue background with a red soundwave or noisy rectangle across the center. The words "risk management" are yellow, the rest are white. In the bottom left corner the Qualys logo is shown and in the bottom right corner, the ITPro Podcast logo is shown.
(Image credit: Future)
ITPro's avatar
By
in Features

Risk management is a constant point of concern in the modern enterprise, with cybersecurity threats, compliance pressures, and financial leaps of faith all piling pressure on the teams who are forced to manage them.

But risk management can’t always be about bailing out the sinking ship. Sooner or later, businesses need to integrate their risk management systems and connect teams together via a centralized framework.

What are the benefits of overhauling risk management in this manner? And how can it be achieved?

In this special edition of the ITPro Podcast, in association with Qualys, Rory is joined by Ivan Milenkovic, VP Risk Technology EMEA at Qualys, to explore how businesses can reduce the burden on C-suite executives and improve their overall resilience by restructuring their approach to risk management.

Highlights

"It's not a technical failure when we talk about siloed stuff, I would call it a translation failure. Historically, CISO speak vulnerabilities, CVSS scores, stuff like that. Whereas the CFO speaks money or financial exposure for that matter. And these are two very different languages describing the same problem at the end of the day."

"I don't think we can talk about a ROC without mentioning good old SOC, security operation center. Those are the two important sides of the medal, where we are sort of used to what SOC does and people understand that SOC leaves right of boom, if you want. So it deals with a fire that's already started, all of your incidents, you are sort of trying to figure out what happened, how it happened, what are the next steps you need to take to eradicate the problem and so on and so forth.

"Whereas ROC leaves left of boom. And what I mean by that is it actually, to use the same analogy, deals with a dry tinder and sparks. So all of your vulnerabilities, misconfigurations, identity exposures, all the stuff that can actually cause the problems."

"These days, when we look at what's going on the average weaponization window, as we call it, is something unbelievable. So we are talking about give or take on average across everything, only an 11-day gap. So you have something along the lines of adversaries weaponizing new vulnerabilities in 19 or thereabout days, and defenders patch in more than 30 days still. Huge gap."

"When we talk about automation, it isn't necessarily only stuff like automated patching. It's about being able to automatically bring all the relevant sources, imagine various threat feeds, imagine something scanning every second of the day, your entire environment, internally and externally, and trying to find exposed assets that maybe you were not aware of, making sure that you do get that complete, unified view and effectively mapping it all together so you do have much a better, if anything, visibility."

Footnotes

Subscribe 

ITPro
ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.

Latest
You might also like
View More ▸