In IT risk is real, and becomes ever more real with each passing day as the number of phishing and ransomware scams escalates. According to a study by SonicWall, the ransomware attempt volume reached more than 300 million for the first half last year, a new record. US, UK, and Germany topped the list as potential targets, with South Africa and Brazil rounding out the top five.
With ransomware attempts shooting up by almost 80 million compared to the previous six months, it would be easy for security and IT personnel to become paranoid about cyberattacks.
That’s where risk management comes in. It uses a series of enterprise risk management software tools to bring sanity to enterprise management and cybersecurity by highlighting the areas of high risk, analyzing the factors involved, and outlining how to respond to those risks. The goal is to achieve some measure of control in order to minimize future negative outcomes, and to move the organization from a reactive to a proactive stance.
The key steps of the risk management process are:
- Identify risks
- Assess risks
- Implement controls
- Review effectiveness
Risk management tools are used to help organizations determine the level of risk involved and predict the potential outcome. They can offer management insight and knowledge to help determine such things as whether to upgrade systems now or delay the project for a year. They also help the business evaluate its tolerance levels for risk. A large financial firm processing billions of dollars weekly might have a low tolerance for transactional downtime, for example, whereas a construction firm might be willing to have its system down for a day or two without serious problems.
Risk Management Complexity
Risk management tools can be complex. It frequently requires consultants to help implement the technology, establish the processes, and groove in personnel. Risk management software can include many different functional areas spanning all ends of the organizational spectrum: IT and security risk management, audit management, compliance management, digital risk protection, privacy management, business continuity, inbound third-party risk management, and outbound third-party vendor risk management.
“Given the breadth of capabilities within risk management solutions, it is advisable to stage a deployment over time, implementing modules gradually,” said Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows. “Instead of trying to set up all risk management aspects out of the gate, start with a few modules and slowly implement it.”
To succeed, organizations must have a clear understanding that no matter how strong their technology may be, it is the people and process aspects that must be prioritized in risk management — otherwise failure is inevitable. Risk management tools today are growing in scope to encompass third-party software, supply chain partners, and customer portals. Holland noted the recent SolarWinds, Accellion, Microsoft Exchange/Hafnium, and Kaseya events. These, he said, have reprioritized the importance of third-party vendor management.
“Now more than ever, defenders must be able to move beyond static vendor assessment questionnaires to ongoing monitoring of their supply chains,” said Holland. “Point in time assessments might be acceptable for checkboxes but aren’t sufficient when trying to reduce the risk from your business partners.”
Top Risk Management Tools
The various risk management software packages out there take different approaches to risk. Some zero in on cybersecurity, others go end to end in the enterprise taking in all facets of organizational risk. This can include planning, budgets, financials, physical and cybersecurity, and more.
Enterprise Networking Planet evaluated a number of risk management software platforms. Here are our top picks in no particular order.
Resolver equips enterprises with a picture of their risk, enabling them to make decisions to move their business forward and grow faster while ensuring their people and assets are protected.
- Risk management software enables better remote risk management by improving engagement with the front line with a guided risk assessment, a simple task list, and easy reporting.
- AI-enabled security management tool.
- Incident management software to automate the incident and investigative process to mitigate losses and reduce incidents.
- Investigations and case management to find the links between investigations and tracked incidents to ensure management of security risks.
- Streamlined security planning that includes built-in security audit functionality.
- Resolver’s Command Center Software increases situational awareness of corporate security teams by bringing event identification, response management, officer and dispatcher communication together into one centralized application.
- Modules for compliance and ethics management, internal audits, and vendor risk management.
JupiterOne uses its own platform to understand the risk in any environment. The JupiterOne cyber asset management and governance platform provides visibility into cyber assets as well as providing a deep understanding of the current state of those assets. Understanding the relationships between the assets is the final component that helps to detail threats and assess risks.
- Empowers cybersecurity and GRC teams with a centralized compliance-as-code solution that automatically gathers evidence to support compliance needs and processes.
- Can be used as the basis for the entire cybersecurity program.
- Security engineering and operations, compliance, cloud security posture management, vulnerability management, incident response and more are all executed with the context that is gathered from JupiterOne.
- Cloud native graph-based cybersecurity platform.
- The ability to understand the relationships and interdependencies between cyber assets.
- Available as a SaaS solution with no need for an on-premise footprint to execute.
- Accelerated security reviews and audits.
- Accelerated gap remediation.
- Integrates with all security solutions, DevOps tools, and cloud services.
- Inventory of cyber resources and assets—everything from users and identities to code repositories, and endpoints updated in real time, automatically.
- Insights and compliance dashboards.
- Security policy builder creates policies unique to the organization.
LogicManager risk-based solutions offer an enterprise-wide view of risk management processes. Its Enterprise Risk Management (ERM) software connects enterprise risk management, governance, and compliance activities in one centralized hub.
- Identify risk across the organization.
- Centralized libraries of industry-specific risks.
- Pre-built, configurable risk assessment criteria standardize data.
- Cloud-based risk monitoring capabilities.
- Streamline testing, metric collection, and incidents remediation.
- Create repositories of risk mitigation activities, controls, and procedures to cover the areas that need it most.
- Interactive dashboards, heat maps, and risk-matrices.
Pathlock’s capabilities focus around treating and monitoring risks through automating detective and preventative controls. Automating controls allows companies to monitor and remediate risks in real time, as they surface. Many companies approach risk solely through the lens of annual compliance driven audits. It allows companies to constantly assess and respond to risks in real time, to ensure timely action.
- Pathlock integrates with 140+ critical business applications where many business processes are managed and many risks may originate.
- Complete visibility to all activity within these applications to assess risk potential.
- Ability to monitor risks in real time, with preventative controls to ensure risk is managed and mitigated in real time.
- Pathlock has engaged with hundreds of Fortune 2000 companies to manage enterprise risk programs and enable a proactive strategy around critical risks.
- Map all Segregation of Duty (SOD) and sensitive access risks across systems to stop threats and take the pain out of compliance.
- Uses native dashboards to accelerate review workflows.
- Financial control and audit support.
- Run “What-If” analyses to check what new risks might be introduced.
- Simulate the risk of adding new roles before making changes live.
- Shorten user access review cycles by up to 80% by automating your process end-to-end.
- Comprehensive ruleset to manage SOX audits out-of-the-box.
EY (formerly Ernst & Young) focuses on financial organizations, but its capabilities go beyond finance to include cyber-risk. It includes planning and profitability improvement, compliance, actuarial transformation, regulatory reporting, and more. It provides a team of experienced consultants to assist with the creation of a risk management program.
- Establishes a finance and risk technology infrastructure to include for automation and big data analytics.
- Drives accountability and enterprise decision making.
- A Global Regulatory Network, consisting of former regulators and bankers from the Americas, Asia and Europe, provides strategic insights on financial regulation that helps clients adapt to the changing regulatory landscape.
- Manages financial crime and cybercrime risk.
- Development of management strategies.
- Evaluation of emerging trends in finance and risk.
The focus of Icertis is on contract management and risk. But from there, it offers a general risk management platform that goes into many other aspects of governance, risk, and compliance (GRC). It identifies, assesses and manages all contract risks and ensures the fulfillment of obligations based on insights from compliance tools.
- The AI-powered Icertis Contract Intelligence platform structures and connects the critical contract information that defines how an organization runs.
- Streamline contracts and processes and connect the dots across departments.
- Standardized, rule-based content based on approved templates and relationships.
- Dynamic approval workflows.
- Identification, assignment, and fulfillment tracking for all obligations.
- Enterprise-grade security and administration to manage highly sensitive information.
- Drive compliance and minimize risk with continuous monitoring and smart rules.
- Advanced analytics.
SAP’s GRC offering is composed of modules revolving around SAP HANA in-memory analytics. These modules include SAP Risk Management, SAP Process Control, SAP Audit Management, and SAP Business Integrity Screening. In-memory data access gives top of the line big data and predictive analytics capability that is tied to risk management. It enables organizations to automate and manage risks, controls, identities, cyber threats, and international trade across the enterprise with embedded analytics and artificial intelligence.
- Unify enterprise risk and control activities on a common technology platform, leveraging continuous monitoring for agile decision-making.
- Links operations, risk management, compliance, and internal audit.
- Helps screen trading partners, reduce the risk of penalties and fines, and clear inbound and outbound customs quickly.
- Threat monitoring, data controlling, and privacy management.
- Monitors and manages identities and controls who has access to information and processes.
- Insight into how risk drivers can impact business value and reputation.
- Documents, assesses, tests, and remediates process risks and controls by streamlining enterprise compliance efforts and using best practice internal control processes.
- Streamlines internal audits by simplifying document evidence, organizing work papers, and creating reports.
- Screens large volumes of transactional data in real time based on predictive analyses and extensible rule sets that uncover anomalies, fraud, or deviations from policy.
Navex offers an integrated risk and compliance program to mitigate risk and leverage compliance. Its 360-degree view of risks across the enterprise includes modules for Ethics & Compliance, Environmental, Social, and Governance, and Integrated Risk Management.
- Suite of ethics and regulatory compliance software aligned with international regulations, DOJ guidance, and EU directives.
- Manages the social, economic, and environmental decisions that impact reporting, compliance, hiring, investor relations, and long term stakeholder value.
- Enterprise-wide GRC solution addressing third party, IT, audit, operational, health and safety, internal control and business continuity risks.
- Navex Lockpath encompasses four standalone products including business continuity management and planning, privacy, risk and compliance management, third-party risk management, and health and safety management.
- Catalog key assets and assess for risk, then conduct business impact analyses to quantify the potential impact of disruption.
- Establish metrics to measure program effectiveness, and monitor for changes that could affect processes or plans and lead to a disruption.
- Use a best-practice template to resiliency and recovery plans that support operations during and after a disruption.
- Configure or use out-of-the-box templates, standardized processes, and contextual reports and dashboards.
Read next: Employing SIEM in the Network Security Fight