Skip to main content

What Makes Organizations Resilient and Why You Should Care

August 17, 2015

Information systems are inherently fragile. Operating systems and applications are very complex machinery, and considering how many changes (such as security patches and feature upgrades) are made, it should not be surprising to see how unstable they can be at times. The recent outage trifecta (United Airlines, New York Stock Exchange and the Wall Street Journal all suffering significant outages on the same day) is just a recent example.

From a security perspective, organizations that are effectively resilient employ security controls based on the actual risk of breach, not based on emotion or the attractiveness of shiny objects. And from a reliability perspective, mature organizations have formal IT service management processes that govern all aspects of IT development and operations.

Mature organizations employ risk management processes that employ multiple sources of risk and threat data – information that is obtained externally from threat intelligence vendors, as well as internal vulnerability information.  These risk management processes have repeatable outcomes in terms of classifying and ranking risk, rather than solely based on gut instinct or emotion, as is common today.

Most of these same mature organizations have implemented modern IT management processes, whether ITIL (IT Infrastructure Library), ISO 20000 or Dev Ops.  These frameworks include processes including change management, configuration management, capacity management and incident management. IT organizations using these processes experience fewer instances of unscheduled downtime

Frankly, few organizations are doing good, repeatable, risk management. Too many CISOs are instead attracted by the latest tools, without regard to whether these tools are the most effective ways to reduce risk in any particular organization.  

Without an effective risk management process, organizations are buying security tools based on FUD (fear, uncertainty and doubt) that is sometimes conveyed by vendors. Organizations are also purchasing tools because their counterparts in other organizations implemented those same tools. A risk management process takes the emotion out of the decision-making process to purchase tools or services. 

Recently, a CISO for a major city told me, “We buy shiny objects.” The impression I was given was that it was a cry for help, like someone with an addiction who confessed it as a way of asking for help to be free of it. Sadly, most organizations are buying security solutions without a solid basis in risk management, and few realize that this glaring deficiency should be considered a bigger defect than any technical vulnerability in its IT infrastructure.

So what can be done? You should conduct a risk assessment to determine where the biggest risks are. Further risk analysis will point to viable solutions. Find a trusted, competent security partner organization to conduct the risk assessment. A trusted partner will be objective and act on the client’s best interests at heart.

Organizations with sufficient resources can even build their own risk management program and do many of their own risk assessments. But even then, getting an objective opinion provides added value.

    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

January 30, 2014

Intelligence Brief: Versions of FireZilla May Be Compromised

Recently, FishNet Security’s gTIC team has discovered that versions of FileZilla FTP client (versions 3.5.3 and 3.7.3) may be compromised. Original in...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

May 30, 2014

Shifting Information Risk Management Out of IT | Optiv

In my previous blog posts, I discussed how the role of the CISO is changing due to the additional responsibilities that come with managing the risk of...

See Details

June 16, 2014

Planning for a DDoS Attack

Last week several prominent DDoS (distributed denial of service) attacks were in the news, specifically targeting the popular note-taking app Evernote...

See Details

July 17, 2014

Five Things to Consider for a Successful Intelligence Team - Part 1

I’ve had the opportunity to travel a bit and “evangelize” about Intelligence - what it is and the basic methodology surrounding it. The “Take Away” po...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.