Risk Management and Information Security: Merging into one?
Three times in the past two weeks I’ve been privy to a conversation about the difference between risk management and information security. Most organizations have separate functions for risk management and information security. In my past lives I’ve worked in a risk management-like function, but been closely aligned with what was going on in information security.
Even at the RSA conference there was a very clear divide between the two. I attended one session on online fraud and the speaker made the point that he would be giving the only talk at the conference about fraud.
I have to admit that I’ve always found the difference between the two functions to be a bit subtle. I see how the information security folks fight against things like denial of service attacks, SQL injection, cross site scripting, network exploits, etc. And I see how risk management teams balance customer experience with the need to keep money from going out the door. But it seems like it might be time for these two types of teams to start working more closely together.
Isn’t it the case that the information security folks are trying to prevent the initial access while the risk management teams are preventing the final event? If so, it seems like it would be immensely valuable for the two groups to work together more closely. By understanding the combination of the attack vector as well as the motivation it seems like even stronger security/risk management practices could be put into place.
I know of at least one company who has recently combined their info sec and risk management functions. I’ll be curious to see how that works. I’d encourage the two communities to start working more closely together. I argue that we are, after all, fighting the same fight.
4 Comments »
Leave a comment
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
The Risk Management/Information Security divide, in my mind, seems to be similar to the eroding divide between IT Operations and IT Security, and that it will follow a similar course.
For ages, Ops and Security were treated as wholly separate entities but as networks have become more distributed, the threats have become greater, and budget pressure is higher than ever, companies and vendors have started to integrate the teams, functions, and tools for increased performance, scalability, and visibility.
I think we’ll see companies develop the technical and fiscal desire to do the same with Risk Management and Information Security, but there is no telling how long it will take for that change in thinking to happen. I think this is one area where budget pressure and keeping an eagle-eye on ROI may help tell (and sell) the story.
@Dylan – great analogy. It will be interesting to see if Risk Management and Info Sec follow the same path as Ops and IT Sec.
Cavalcade of Risk is up, and your post is in it:
http://diseasemanagementcareblog.blogspot.com/2009/06/welcome-to-cavalcade-of-risk-version-81.html
[...] scripting as well as network exploits and their overlap with traditional risk management? Keep this link from the Silver Tail Blog handy so you can steal the show at your next risk meeting with those [...]
Pingback by Health Care. (united health care, universal health care) » Blog Archive » Welcome to Cavalcade of Risk, Version 81 (CoR.81) | July 1, 2009 |