IBM expert: IT risk is opaque

Just as many financial services firms failed to predict the meltdown of the sub-prime lending sector and its ripple effect on the overall U.S. economy, IT and data security teams won't be able to sufficiently secure their assets and information unless they become far more progressive in assessing risk, according to IBM's top expert in the field.

Steven Adler, program director of IBM's Data Governance Solutions unit and chairman of the Data Governance Council industry group, said that just as U.S. lenders should have seen the writing on the wall long before the sub-prime market collapsed, IT security executives must begin using more progressive risk management techniques if they ever hope to get ahead of data breaches, malicious attacks and emerging compliance regulations.

The traditional model of addressing such technological and business challenges in a responsive manner has been broken for a long time, and organizations may have foreseen the current era of urgency in dealing with breaches, attacks, and regulation if they had applied greater levels of risk assessment to their IT operations sooner, Adler said.

The only way that businesses, government agencies, and other organizations will prevent continued security failures -- and rising overhead expense related to handling all of those problems -- in the future is by taking closer look at how they can embrace risk management and data governance today, he said.

"With the lending sector, risk was not priced into the market appropriately until August of 2007, and those markets were not acting efficiently before then -- they weren't able to accurately predict the risk of companies like Bear Stearns until it was far too late," Adler said. "Every market is an arbitrator of fear and greed, and information about risk is what we all use to make educated decisions. We need new data governance standards to help companies engage in smarter risk calculation, modeling, forecasting, and analysis on a much more systemic basis."

Most businesses are already collecting volumes of data that could be put to use in making more informed decisions about IT security and management, but they simply don't know how to put the information to work in a manner that will allow them to do so, according to the expert.

And Adler said that while companies like IBM can supply some of the consulting and technologies needed to help companies improve their risk management capabilities, the process must be addressed on a much higher level that allows organizations to begin moving forward on their own.

"CIOs are already collecting reams of data that could help with risk calculation in their logs, identity management systems, and intrusion prevention tools, but most of the time, it sits uncorrelated, uncompared, and unanalyzed," he said. "These companies have a wealth of information that could help them calculate risk more effectively; as an industry, we need to talk more about new data models, analytical tools, and what future standards need to look like. That's the type of thing that the Data Governance Council believes in."