Experts agree that the continuing cost of compliance to enterprises and the demand for return on investment from businesses and their shareholders is forcing companies to take that next step of developing full-fledged risk management strategies that are tightly integrated with their business processes.
"I think we're beginning to see a second stage, where the CFO and business managers say, 'We see that you have [compliance] under control, but we've got to drive down costs. We can't go to the market and continue to say we're not going to hit our earnings because of Sarbanes-Oxley'," says Chris Annattos, CEO of Coercion.
Fashioning the framework
IBM recommends a range of best-practice frameworks to help companies develop an enterprise risk management strategy, including the ITIL (IT Infrastructure Library) for IT service management, which focuses IT processes around business needs. But customers should adopt a layered approach that also includes consideration of ISO 17799, Cobit and various other standards, says Kelly Schupp, IBM's director of security solutions for Tivoli Software.
SunTrust backs the Cobit framework, which provides guidelines for IT security and control, but the company doesn't adopt any best practice whole cloth. "You have to look at [best-practice frameworks] through the lens of your business," Rowan explains.
Instead, the company sends its risk officers to bank teller training to see how things work in the field. That type of firsthand knowledge affects decisions made at the top level, about issues such as authentication and data protection. "If tellers need to log on five different ways just to access a screen, you may be addressing your risk but hurting your business," he notes.
Tools from companies such as Archer Technologies and SkyBox, which Gartner dubs "risk prioritization" software, are gaining popularity, as companies try to streamline risk management activities by understanding how regulations overlap and by prioritizing their risk, Gartner's Pescatore says.
"You know you have vulnerabilities out there, and there are regulatory requirements. It's like a huge Venn diagram," says John Kirkwood, American Express chief information security officer.
American Express is using asset and risk management technology from Archer to see the overlap in that diagram - and to spot the gaps. By its own estimates, the company is subject to around 11,000 different regulations in the US and abroad. Kirkwood estimates that around 80 or 90 percent of those are centred on just 250 different compliance areas.
"You can run out and put in what you need for Sarbanes-Oxley and other regulations, or you can say, 'All these require control of users. What's the least onerous way to put that in?' And then you can just refine it," he says.
SkyBox's products develop an overall picture of enterprise risk by analyzing network configurations together with assets and vulnerability information to identify areas that are susceptible to attack. That allows companies, for example, to determine not just that they need a network-based IPS device but where best to deploy the product to reduce their exposure to attack, states SkyBox's Cooper.
"The next phase - the real challenge - is quantifying whether IPS and IDS are actually doing what you expect them to do ... and prove to the management team what the value of that investment is," he says.
At companies such as the Limited Brands in Ohio, which owns Victoria's Secret and Bath & Body Works, compliance for Sarbanes-Oxley led to the creation of an overall risk management and brand protection strategy in the past three years, says David Criminski, security director at Limited.
The company used an arsenal of point security products for years, including IDS, IPS, firewalls, antivirus and malicious code detection, but only issued its first security policy in 2003, to comply with Sarbanes-Oxley. Since then, Limited has introduced a data classification model that identifies all data according to its level of risk: private restricted confidential (customer data), restricted confidential and pubic confidential.
The data classes have, in turn, been integrated into Limited's project management lifecycle, allowing the company to focus activities such as security research and penetration testing on systems handling the most sensitive data, Criminski says.
He adds that "as an IT security guy, I'd love it to be all security all the time, but you've got to prioritize. So if it's PRC (private restricted confidential) data, you do all that, but maybe not with public confidential data".
Limited's risk management strategy has also made follow-on regulations such as PCI more manageable. "PCI doesn't stress us out because there isn't anything there that isn't a part of our security program already," Criminski says.