One dimension of an enterprise risk management strategy requires that IT security executives protect information without restricting or limiting the activities of the business. This often difficult balancing act requires first, the ability to protect assets differently based on their relative importance to the operation of the business or the risk involved if the asset is compromised. Second, security executives and managers need to gain the trust and cooperation of their peers across the business. Creating this partnership requires the ability to communicate to the business partner the effectiveness of current management practices on reducing risk using practical, easy to understand metrics.

Operational risk management is an emerging management discipline that includes the ability to transform the ever increasing number of events into a fewer number of highly actionable alerts. By focusing resources on high-impact alerts, IT security can reduce the number of security incidents, reduce the cost of incident resolution and reduce the potential impact of an incident on business activity. While early investments in log management addressed a pressing need to respond to auditors and to prove controls are in place, log management alone had minimal impact on mitigating risk. Operational risk management enables IT security to verify controls are enforcing policy.

Many organizations have turned their attention to methodical implementation of controls, or security best practices. Monitoring controls mitigates risk and provides the proof that the controls are performing as intended - to enforce enterprise risk policies. By implementing a centralized management solution that can monitor events and controls, IT security takes a stronger position in enabling the enterprise risk management strategy.

Of equal or perhaps even greater value is the security managers' ability to provide high-impact communication to business partners using practical, easy to understand metrics. For example, the IT security staff could easily demonstrate how they are reducing the impact of an increasing number of attacks on the business by comparing the sheer number of attacks to the reduced number of incidents or the reduced average duration of an incident resulting from the attacks.

Another example of how security metrics can be used to increase cooperation between the business and IT is to illustrate the impact of behaviors on the risk profile of a company. For example, metrics can demonstrate the relationship between the number of high-cost incidents and the introduction of a new application. This example might generate new energy around new application development practices, launch or training.

Security metrics can also be used to illustrate the return on dollars spent by showing the impact of new security technology or processes on reducing the number of successful attacks. Trend reports in easy to understand graphical metrics on an accessible dashboard provide the security executive with an effective way to communicate ongoing progress against risk reduction objectives.

Compliance requires continuous commitment to process and technology implementation. Operational risk management effectively protects information and reduces risk, thereby satisfying the expectations of executives, auditors, business managers and customers.

Pamela Casale is Chief Marketing Officer at Intellitactics, Inc., 703-480-0203; email: pcasale@intellitactics.com; web: www.intellitactics.com.