What's Inside
Learn how a comprehensive IT security risk management approach goes beyond just having strong tools and includes various key concepts such as data loss prevention, employee awareness, and incident management planning.
IT Security Risk Management: Key Concepts + Best Practices
Learn how a comprehensive IT security risk management approach goes beyond just having strong tools and includes various key concepts such as data loss prevention, employee awareness, and incident management planning.
Get Started With Drata
IT security risk management has been a hot topic for years, increasing in prominence as technology has evolved and, inevitably, faced more risks. Many companies dedicate more of their budget to security tools than they once did, which is encouraging, but IT security risk management is about much more than having best-in-class firewalls, password vaults, or IaaS providers.
A security incident, or in the worst case, a data breach, can occur in various ways: caused by an uncareful employee, a failed control, or a third-party security compromise. IT security risk management includes assessing, treating, and controlling risks across the company’s environment, leveraging security best practices and frameworks.
This article explores a variety of IT security risk management angles, pointing out how they play a pivotal role in a unified risk management approach.
Imagine this scenario. An early Monday morning starts with agitated calls related to recent news reports: Your company had a data breach, and confidential customer information has been leaked to the public. This is clearly a crisis situation. The reputational impact is immediate, and regulators will knock on the door soon enough, too. Those responsible for managing the company’s technology infrastructure are likely already investigating the incident and are trying to contain the threat. At the same time, they are constantly being asked: “How did this happen?”
Mature organizations do not end up in a blame scenario or having to deal with complete confusion. A healthy risk management framework (RMF) recognizes the volume and complexity of IT security risks and enables those responsible for this area to capture and report risks, raise concerns, and get support for mitigating unacceptable risks.
Data breaches are not limited to just personally identifiable information (PII), or personal data, as defined by the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), or the General Data Protection Regulation (GDPR). Any valuable data a company holds can be at risk of a data breach, including trade secrets, strategic plans, internal communications, and more.
Data breaches generally stem from unauthorized access to confidential information that is predominantly stored on or processed by digital assets such as applications, servers, storage devices, etc. Thus, this risk falls under the umbrella of IT security. However, DLP should be a company-wide concern.
Business owners play a key role in DLP. Along with overseeing specific business functions or processes, business owners are also accountable for the performance, integrity, and security of the associated data and systems they manage. Thus, they should understand what data is being processed by the assets for which they are responsible. Business owners should classify the data, discuss appropriate protection measures, and support their implementation. The assets should then be subject to IT security controls such as access management, encryption, data retention and deletion, information transfer rules, change management, backup, and others as appropriate.
Employee awareness and education in IT security are crucial for Data Loss Prevention (DLP). Employees need to know how to handle confidential information properly and have the tools to process and transfer it securely. By fostering a culture where employees can easily access secure solutions, they will be less likely to bypass security protocols.
It’s worth recognizing that data leakage prevention is not a matter of merely acquiring a DLP tool. Provided that the other areas are up to par, and there are enough resources to dedicate to managing, tuning, and monitoring a DLP software, such a tool can be a great addition to the layered approach implemented to minimize the risk of data leakage.
Since plenty of valuable data flows across networks, threat actors utilize extensive tactics and techniques to attack network infrastructure. No matter the methods, the high-level risks are the same. An attacker’s ultimate objective when targeting a network is usually exploitation, which can represent an overarching risk to networks.
If we dissect the techniques through which this objective can be achieved, we may identify some sub-risks, such as system unavailability or latency, unauthorized access, or privileged access misuse.
Many network controls address these risks. These may include network segmentation, disabling unnecessary ports, malware detection, antivirus, vulnerability scanning, patching, activity logging and monitoring, and others. Choosing the right mix and stringency of these controls should always be done based on IT risk assessments.
Whether software development is done internally or outsourced, IT security best practices need to be followed to ensure that the new features or shiny digital products will be safe for use, integrate well with the rest of the network, perform well, and be resilient to external attacks.
Here are some specific good practices:
Bring security and development teams together: Development and security have traditionally been at cross purposes, which causes lots of rework. Embedding security into each development phase is no longer a utopia. “DevSecOps” teams now have a mission to develop a software product in a secure manner.
Engage in secure development: This cannot be stressed enough. Source code is vulnerable to attacks, and developing software without following security best practices can lead to a rise in application security vulnerabilities. A valuable resource is the “OWASP Top 10,” an industry-standard list that ranks the most critical application security vulnerabilities. Also, it’s a great idea to create “security guilds,” which are training programs and materials for developers on how to code securely.
Perform security testing: Besides classical unit testing, performance testing, or user acceptance testing, secure testing before deployment should not be skipped. Security testing methods include penetration testing, vulnerability scanning, dynamic application security testing (DAST), and risk assessments.
Third-party consultants, cloud providers, SaaS solutions, or outsourced development become part of an organization’s environment. Attacks through third parties are not uncommon; in fact, onboarding a vendor that doesn’t have a good security posture should be raised immediately as a concern from a risk management perspective. These are all good reasons to have security assessments as part of the vendor due diligence processes before onboarding and as part of regular monitoring.
Vendor security assessments can be conducted using a range of methods, which should be proportional to a vendor’s criticality to the business. Essentially, they should be tailored to the level, types, and amount of confidential company data the vendor will process.
If a new vendor will be used for AI training for a set of employees and will only process company email addresses, for example, it may be sufficient to verify their legitimacy and ask for basic contractual requirements on confidentiality and data processing. On the other hand, consider a process involving customer PII data that will be run through cloud software that transfers data across jurisdictions (i.e., the EU to the US). In this situation, the IT security assessment may include asking for (and assessing) the vendor’s SOC 2 Type II report, data protection measures, network diagrams, latest penetration test results, and the right to audit.
You may wonder how large companies with best-in-class security tools still suffer major security breaches. In most cases, the answer lies with humans, who are often the weakest link in the defense chain and a prime target for attackers. Employees who disclose their company credentials or other sensitive data create vulnerabilities for attackers to exploit. Regular security awareness training is essential to mitigate this vulnerability.
With the rise of AI, attacks can be executed with precision, using realistic images and videos. Imagine thousands of phishing emails generated by AI or CEO impersonation using deep-fake technology. It’s essential to continuously educate employees about these advanced threats and tactics and train them on how to identify, report, and respond effectively.
IT security functions should be viewed as trusted partners by employees, encouraging them to report any suspicious behavior, including their own actions. This type of culture will foster an honest work environment and enhance risk awareness and management.
Even with solid technical controls, clear policies, and employee awareness, incidents can still occur. IT security incidents can take many forms, including application misconfigurations, phishing attacks, external intrusion, cross-site scripting (XSS), etc.
These incidents can go unnoticed without an incident management process and can significantly impact the company’s business and operations. As such, an incident management process is required with assigned roles and responsibilities, capabilities for monitoring and alerting, escalation paths, response SLAs (even if internal), and the means to contain and eradicate the threat. External partners are sometimes needed to enhance the internal capabilities with 24/7 system monitoring, threat intelligence, forensic analysis, and even negotiation with the attacker, where relevant.
Major incidents require a “post-mortem,” a process focused on identifying an incident’s root cause, capturing lessons learned, determining further preventive actions, and incorporating the conclusions into an overall better risk management process.
Control testing in IT security aims to reveal deficiencies in the design and operation of security protection measures. A control can become unsuitable or can be insufficient in addressing risks, so a control testing process should be employed to capture deviations and not leave a false sense of security in the company.
Some examples of IT security controls:
Recertification of access rights to information assets, such as software, tools, and infrastructure resources. Recertification should be done more frequently for critical assets and can be more relaxed for others.
Change approvals that demonstrate that technological changes to systems have been assessed for risks, tested, and approved before deployment.
Incident detection and response provide evidence of how recent IT security incidents have been detected (through log monitoring and alerting), classified (using approved criteria), and mitigated in accordance with the incident management plan and procedures, such as playbooks for each incident type.
There are several globally recognized security frameworks that can help a company develop a systematic approach to IT security risk management. Here are some of them:
NIST Cybersecurity Framework (CSF): An up-to-date standard (version 2.0 published in 2024) that can be used across sectors and locations, the CSF helps organizations better understand, manage, reduce, and communicate cybersecurity risks.
ISO 27001:2022, issued by ISO/IEC: The widely known standard for information security management systems (ISMS). It defines what requirements must be met and how to establish, implement, maintain, and improve an ISMS.
The Payment Card Industry Data Security Standard (PCI DSS), issued by the PCI Security Standards Council: PCI DSS is the global data security standard adopted by the payment card industry for all entities that process, store, or transmit cardholder data and/or sensitive authentication data.
It’s important to recognize that merely meeting the minimum compliance requirement does not ensure that a company’s IT security is entirely secure. New threats emerge daily, and defenses must keep pace with attackers, who can acquire or develop digital weapons at an incredible speed.
A company’s risk management framework should be flexible enough to account for these complexities and enable management to support continuous efforts to keep IT security risks under control.
Effective IT security risk management is all about protecting assets, making them less vulnerable to threats. This can be viewed from two perspectives: operations (running the necessary controls) and governance (oversight of operating controls). Operations and governance both need a plethora of processes, workflows, tools, research, and people. There is always something more to automate.
Security operations need automated scanning and testing tools, alerting functionalities that help to avoid manually scrolling through the “noise,” automated discovery of new assets, auto-quarantine of potential malware, and system rules and triggers that support security staff as much as possible.
In the areas of governance, risk, and compliance, automation can be more than helpful for integrating various frameworks, creating and maintaining a risk register, centralizing vendor databases, running control tests and tailored assessments, generating dashboards and reports, and more.
Drata is a platform that can resolve decentralized risk management and reduce the overhead of mapping requirements from different regulations, using spreadsheets for vendor questionnaires, or having to follow up with numerous stakeholders for risk management reporting.
Security operations are a first line of defense against IT security risks, which are present across systems, networks, physical assets, and the supply chain. Security governance ensures that a framework is established for managing risks, testing controls, and promoting continuous improvement.
Like many other capabilities, effective IT security risk management requires a combination of suitable tools, streamlined processes, and trained personnel who do not work in isolation from the rest of the organization. IT security risks are a form of operational risk, which in turn contribute to overall business risks. Therefore, organizations must recognize that IT security is not a barrier to business objectives but a facilitator for achieving them securely.
Take Your Learning Further
Discover research, guides, templates, and other resources on risk management.