"How do you take a risk, have five people take a look at it and have a consistent measure of what it might cost the business?" asks Greg Avesian, vice president of enterprise IT security at Textron. It's not a rhetorical question: The $US10 billion conglomerate recently embraced the risk-based security model, and quantifying the potential damages of various threats is one of the discipline's main challenges.

In the IT arena, security spending has traditionally been tactical, even scatter-shot, with a rationale difficult to pin down beyond a vague idea that -- to take a cue from Emil Faber, founder of Faber College of Animal House fame -- Security is Good. The risk-based security model is an effort to change that. "Organizations are beginning to deal with risk coherently," says Chris Byrnes, an analyst at Gartner. "Rather than viewing infosec as an island, they're looking across a broader set of risks."

The risk-based model can be a big win for the enterprise because it directs spending where it's needed most, resulting in stronger security. But IT groups are struggling to master the challenges of the still-new concept.

Logical progression

In the risk-based model, IT and security managers work with business units to identify the biggest threats to the business and then set priorities for security investments. In essence, this model is a cost-benefit analysis to ensure that the security budget is spent wisely.

Clearly, then, the risk-based security model is a logical outcome of the tightening bond between business priorities and technology expenditures. Just as portfolio management and other disciplines tie IT spending to the most productive business initiatives, risk-based security prioritizes spending by the potential damage of various threats.

At Textron, "we looked at [risk-based security] because, like everybody else, we've got a finite amount to spend on risk mitigation," Avesian says. The new model, he adds, "has helped us develop a consistent framework when evaluating risk, and it's forcing us to think more strategically." The company has long emphasized process and views the risk-based model as a complement to its efforts to comply with the Sarbanes-Oxley Act and its devotion to both the Six Sigma quality-control methodology and Control Objectives for Information and Related Technology (Cobit), a set of best practices for IT management.

Sarbanes-Oxley and Cobit each introduced robust controls, Avesian says, while Textron's Six Sigma history taught it to standardize processes wherever possible -- which, in turn, entailed measuring progress on that standardization. Indeed, Textron has a resident Six Sigma Black Belt (a rare level of expertise) who is the company's risk-based "process owner".

Analysts and security managers say the growing importance of regulatory compliance has encouraged the adoption of risk-based security. Many demands of Sarbanes-Oxley and other regulations not only help companies become aware of security risks they may have overlooked, but also dictate controls to plug the holes.

That's what happened to a Canadian company which, like many companies in Australia, does extensive business with US trading partners and has to comply with Sarbanes-Oxley regulations.