Just as many financial services firms failed to predict the meltdown of the sub-prime lending sector and its ripple effect on the overall U.S. economy, IT and data security teams won't be able to sufficiently secure their assets and information unless they become far more progressive in assessing risk, according to IBM's top expert in the field.
Steven Adler, program director of IBM's Data Governance Solutions unit and chairman of the Data Governance Council industry group, said that just as U.S. lenders should have seen the writing on the wall long before the sub-prime market collapsed, IT security executives must begin using more progressive risk management techniques if they ever hope to get ahead of data breaches, malicious attacks and emerging compliance regulations.
The traditional model of addressing such technological and business challenges in a responsive manner has been broken for a long time, and organizations may have foreseen the current era of urgency in dealing with breaches, attacks, and regulation if they had applied greater levels of risk assessment to their IT operations sooner, Adler said.
The only way that businesses, government agencies, and other organizations will prevent continued security failures -- and rising overhead expense related to handling all of those problems -- in the future is by taking closer look at how they can embrace risk management and data governance today, he said.
"With the lending sector, risk was not priced into the market appropriately until August of 2007, and those markets were not acting efficiently before then -- they weren't able to accurately predict the risk of companies like Bear Stearns until it was far too late," Adler said. "Every market is an arbitrator of fear and greed, and information about risk is what we all use to make educated decisions. We need new data governance standards to help companies engage in smarter risk calculation, modeling, forecasting, and analysis on a much more systemic basis."
Most businesses are already collecting volumes of data that could be put to use in making more informed decisions about IT security and management, but they simply don't know how to put the information to work in a manner that will allow them to do so, according to the expert.
And Adler said that while companies like IBM can supply some of the consulting and technologies needed to help companies improve their risk management capabilities, the process must be addressed on a much higher level that allows organizations to begin moving forward on their own.
"CIOs are already collecting reams of data that could help with risk calculation in their logs, identity management systems, and intrusion prevention tools, but most of the time, it sits uncorrelated, uncompared, and unanalyzed," he said. "These companies have a wealth of information that could help them calculate risk more effectively; as an industry, we need to talk more about new data models, analytical tools, and what future standards need to look like. That's the type of thing that the Data Governance Council believes in."
Along with IBM, which founded the consortium, the Data Governance Council is backed by more than 35 of the company's customers and 17 other technology providers.
Some of the firms involved in the effort are already utilizing top-down data governance and risk management schemes to re-architect their IT and security systems and are seeing immediate benefits in lowering their exposure, Adler said.
Adler conceded that even for those early-adopters, the whole notion of applying risk management to their systems and operations goes slowly, but he said it is work that must be started sooner, rather than later, if organizations hope to see benefits in the coming years.
"A few years ago, the perception was that if you had a security breach, you should fire your chief information security officer, and clearly that was so naive because in the end, that was the one person who had the best understanding of how to protect a company," Adler said.
"Security today is an arms race handled on a weekly or daily basis, and most companies are so challenged by this process that they don't even have the bandwidth to be strategic about risk calculation," he said. "That has to change, and we instead need to hold people accountable who create the vulnerabilities; we will always have risk, but we need to start holding the average employee more accountable, and for those assessing [via risk management and governance techniques], that's already happening."