Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, consumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

How important is monitoring and measurement when it comes to information security?

By Jeremy Ward, Security Services Development Lead


It is a truism to say, “you can’t manage what you don’t measure,” but how many organizations understand that when it comes to managing enterprise security risk? In almost every organization I visit I find that responsibility for managing information security risk is spread throughout many parts of the business. The result is that the enterprise lacks a clear understanding of what their risk is, how it’s being managed and who is taking responsibility.


333325967_a450c1d39b.jpgWhat’s the right approach to business risk management?

No company is going to be able to solve this problem overnight. However, there are some initial steps you can take to get an all-round, coherent view of information and business risk management. First, you need to decide who in your organization should to be involved with information security risk management. Remember that it’s all about the business, not about IT or technology (although obviously these play a crucial role). Above all, we must involve people who understand how the business uses information and how important it is to ensure that this information is not tampered with and is only available when required by those who need access to it.


Risk can be measured by the likelihood that threats are able to exploit vulnerabilities and thus cause incidents that could have an impact on your business-critical assets. Those individuals you have identified as needing to be involved must to be brought together to take a strategic view of how these components (threats, vulnerabilities and incidents) can best be monitored and managed. HP has an interesting paper that explains the practical measures you need to take called Are you measurably reducing your business risks? Are you taking a strategic approach to risk mitigation?


It important that risk management and mitigation be viewed strategically. All too often, organizations take a tactical approach. This may sort out the immediate issues but it leaves faults in the underlying systems. For example,  a business that has suffered serious data loss may decide to implement a technology designed to counter the threat without addressing the personnel and processes issues which made the enterprise vulnerable to the threat.


The principles of information security risk management are the same whatever the size of your organization. You need to be able to:


  • Understand what information is critical
  • Take a strategic approach to the management of threats, vulnerabilities and incidents
  • Monitor and measure the effectiveness of your actions

In this way you can avoid business damage that you can not afford in these tough economic times.

If you’d like to learn more about how HP Enterprise Security is helping clients mitigate enterprise security risks, check out our a one day Security Discovery Workshop that enables organizations to take a holistic, pragmatic and strategic view of their information security risk issues and to determine their roadmap and immediate actions to better risk management.


Click here for more information on measurably reducing your business risk.

Nadhan | ‎12-14-2011 08:13 PM

Jeremy, Fully agree with the management of business risk when it comes to Information Security.  We must complement this with the deployment of solutions that effectively enable business risk management -- which is why Applications Security Testing is Vital to the Enterprise.  This is true for all enterprises -- even the SMBs.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.