Beyond the Checklist

Beyond the Checklist

• 29 Jun 2023
• Written by: Jason Bloomberg

About

This content is brought to you by Evolven. Evolven Change Analytics is a unique AIOps solution that tracks and analyzes all actual changes carried out in the enterprise cloud environment. Evolven helps leading enterprises cut the number of incidents, slash troubleshoot time, and eliminate unauthorized changes. Learn more

Managing Configurations to Mitigate Availability, Compliance, and Cybersecurity Risk

Jason Bloomberg, Managing Partner, Intellyx

Along with making and saving money, managing risk is one of the top three priorities for any executive. As with financial motivations, dealing with risk must percolate through the entire organization. Everyone is responsible for managing the risks within their respective purviews.

IT executives in particular must manage risks in their organizations. Downtime, performance issues, and compliance gaps all threaten the health of the business and thus are risks that the entire IT organization must manage.

Managers must make investment decisions that manage and mitigate all such threats across the board, without irrationally emphasizing one type of threat over another.

They need some kind of common denominator that gives them such balanced, rational control over risk. A new generation of configuration management can provide that common denominator.

How to Quantify Different Types of Risk

Of all the risks facing the enterprise at large, many fall within the domain of IT. We’ll consider three types of risk:

• Availability risk – the risk of downtime, as well as the risk of poor performance that adversely impacts user experience. Such risks threaten the organization’s bottom line via lost business and customer churn.
• Compliance risk – the risk of fines and reputational damage due to regulatory non-compliance.
• Cybersecurity risk – the risk that vulnerabilities will lead to breaches, causing loss of data and money, as well as reputational damage.

Other risks face the IT organization like technical debt risk, but the three categories of risk above are the most prominent.

Without a common understanding of these risks, managers are likely to make irrational investment decisions based on the crisis of the day. Organizations must objectively quantify the risks they face. This quantification relies on the practice of risk scoring.

Risk scoring begins with risk profiling, which determines the importance of a system to the mission of the organization. Risk scoring provides a basis for quantitative risk-based analysis that gives stakeholders a relative understanding of the different types of risks.

The overall risk score is the sum of all the risk profiles across the type of risk in question and thus gives stakeholders a way of comparing risks in an objective, quantifiable manner.

One particularly useful (and free to use) resource for calculating risk profiles and scores is Cyber Risk Scoring (CRS) from NIST, an agency of the US Department of Commerce. CRS focuses on cybersecurity risk, but the folks at NIST have intentionally structured it to apply to other forms of risk, including availability and compliance risk.

If an organization has a quantitative approach to risk profiling and scoring, then it’s possible to benchmark risks to compare one type of risk to another – and furthermore, make decisions about mitigating risks across the board, and how much money to spend doing so.

Risk scoring is one aspect of the broader challenge of risk assessment. Organizations must assess their risks to coordinate various risk mitigation efforts that lead to an optimal balance between risk mitigation and the costs of achieving it.

There are, in fact, several different risk assessment frameworks that organizations can use to quantify and manage their IT risks, including the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) framework, the NIST Risk Management Framework, COBIT 5 for Risk, and ISO/IEC 27005:2022.

These frameworks and standards can help organizations assess and quantify their risks across different types of risk. Once they have quantified their various types of risks, they are now able to make informed decisions about how to mitigate all risks within the context of the budget for managing IT risk overall.

Closing the Gaps Between Risk Assessment and Mitigation

Once the organization has a handle on the IT risks it is facing, it’s well-positioned to mitigate those risks. However, no risk scoring and assessment regime, no matter how complete, can identify all the risks that threaten the organization.

There are many types of threats that can fall through the cracks, including zero-day attacks, mistakes due to human error, and new vulnerabilities that result from a change in configuration.

For all these reasons, organizations must leverage technology that goes beyond assessment checklists, capturing the vagaries of real-world situations that go beyond assessments and their associated benchmarks.

To close these gaps organizations must manage the configurations of the various systems, applications, and networks that make up the IT estate.

Misconfigurations can lead to performance issues and downtime. They can also lead to out-of-compliance situations. And most significantly, misconfigurations can be the root cause of vulnerabilities that lead to breaches.

Misconfigurations, therefore, are often at the heart of availability, compliance, and cybersecurity risk. Finding the root cause misconfiguration that presents a particular threat requires some detective work using a configuration risk intelligence tool like Evolven.

Regardless of the type of risk, operators can use Evolven to trace interaction paths from applications to databases, uncovering the root cause misconfiguration along the way.

Evolven monitors the entire configuration estate enterprise-wide in real-time for any change, anomaly, or misconfiguration, looking beyond the frameworks and checklists to prevent, as well as mitigate, issues.

The risk-based AI engine analyzes changes as they occur and prioritizes them based on risk, enabling a more proactive posture to risk management across the enterprise.

The Intellyx Take

Leveraging a risk assessment framework to quantify risk is a daunting task. It can lead to massive reams of paperwork, suitable perhaps for auditors but ill-suited to managing the risks themselves.

It is important, therefore, for organizations to think beyond the scorecards, assessments, and benchmarks by implementing proactive configuration management.

Quantifying and measuring risk is important for making informed decisions about managing the threats to the organization, but don’t let the measurement process prevent your team from focusing on the actual management of risk itself.

Risk management, therefore, must be a combination of carefully planned processes and effective hands-on configuration management. Neither one is sufficient on its own, so don’t let paperwork keep your organization from taking control of the risks it faces.

Copyright © Intellyx LLC. Evolven is an Intellyx customer. None of the other organizations mentioned in this article is an Intellyx customer. Intellyx retains final editorial control of this article. No AI was used to produce this article.