Many enlightened enterprises are aligning the once disparate functions of Disaster Recovery, Business Continuity and Information Security into a single functional unit focused on IT Risk Management.
Some organizations have gone even further and added additional enterprise risk areas such as Regulatory Compliance (SOX, HIPPA, etc.), Safety Compliance (OSHA), and Environmental Compliance (EPA) into the Enterprise Risk function. The leadership of this newly converged business function (frequently called the Chief Risk Management Officer-CRMO) faces a daunting set of challenges:
1. Understanding all of the business and technology issues encompassed in these diverse areas of risk. The typical CRMO’s background and expertise emanates from Legal, Audit, Finance or IT and is generally much narrower than their new CRMO responsibilities.
2. Creating a management paradigm which organizes all the issues; sets priority, and sequence; assigns accountability and establishes a mechanism to measure progress.
3. Creating and packaging a compelling message to their superiors so they can justify investment and demonstrate a return on that investment.
4. Understanding the marketplace of literally thousands of solution providers, each of which claims to have “the solution” to the problem.
As part of its continuing efforts to assist the CRMO in meeting the objectives of this role, Fusion Risk Management, Inc. has recently completed researching the risk management tool marketplace. This article provides a brief overview of the results of that research.
The Fusion IT Risk Marketplace Maps, which directly addresses challenge number 4 above, catalogs all the vendors and offerings in the BC/DR and IT Security Space into respective solution areas. The goal of the mapping exercise is to bring order, structure and clarity to the chaos of the marketplace, thereby enabling buyers to more concisely understand their options. It was further determined that a four-tiered taxonomy would be appropriate as the organizing principal. The generic illustration below depicts the BC/DR Marketplace Map taxonomy. The IT Security marketplace Map is similarly organized.
Fusion’s application of this taxonomy to the Business Continuity/Disaster Recovery Marketplace resulted in the 8 Solution Domains as listed below:
1. Facilities
2. Recovery Planning Tools
3. Consultants
4. Alert Notification and Voice Recovery
5. Data Recovery and Protection
6. Server Recovery Technology
7. Media and Information Sources
8. At Time of Disaster Services
The Solution Domains were then further decomposed to sub-Solution Domains as appropriate. For example, decomposition of BC/DsoluR Solution Domain 5 – Data Recovery and Protection resulted in the solution sub-domains of:
- Replication Technologies
- Backup technologies
- Vital Records Products and Services
- Services
Vendors and offerings are then appended to each sub-domain to complete the organization of the Map, while the addition of documentation and/or URL’s complete the content.
The completed Map represents a concise, yet comprehensive view of the marketplace and is an invaluable reference to prospective consumers or recommenders of these solutions.
The Fusion IT Security Marketplace Map is organized identically to the BC/DR Map, with a first tier of 6 Solution Domains as follows:
1. Security Information Management
2. Application Access Management
3. Network Security
4. Messaging Security
5. Content Security
6. Endpoint Security
An example of a sub-domain layer in the Security Marketplace Map for Endpoint Security is as follows:
- Desktop/laptop
- Phone/PDA
- Removable Storage
These marketplace maps provide a structured view of the entire risk management/disaster recovery marketplace, greatly simplifying the identification of solutions for specific needs.
While Fusion’s Marketplace Maps provide a way to organize the available solutions, enterprises still need a method to assess their needs in the IT Risk Management area. The Fusion Framework is a WEB based application which helps companies assess and manage their IT Risk Management Programs.
The core of the Fusion Framework is the mapping and decomposition of the client’s IT Risk Management environment into successively more granular elements. A very rich set of Meta data is then captured for each element including current state, planned state, desired state, maturity ranking, business criticality, regulatory affinity, staff accountability, notes and evidence. The Meta data forms the foundation for a robust set of analytics including project prioritization, progress tracking, accountability tracking, heat mapping, and management and C-level reporting.
With the Fusion Framework, companies are able to holistically assess their Risk Management profile and then make metrics based decisions on the next most important projects. Many of those projects will involve selecting and integrating solutions illustrated by the Marketplace Maps.
For example, if a Fusion Framework assessment uncovered a need to improve endpoint security, a quick perusal of the Security section of the marketplace map would list all the vendors with an endpoint security solution, including relevant information about their products and services. Similarly, the Marketplace maps could help identify the candidate solutions for a weakness in Security Policy Management/Enforcement or for a Recovery Planning Tools. Although this article focuses on interaction between he Fusion Framework and the Marketplace Maps, each of these tools can also be valuable standalone resources in the toolkit of the CRMO.
In summary, today’s IT Risk Management professional faces an incredibly complex and challenging universe of problems and “solutions”. Tools such as the Fusion Marketplace Maps and the Fusion Framework, can help provide context and clarity for solving those problems.
Recommend0 recommendationsPublished in IT Availability & Security
Leave A Comment
You must be logged in to post a comment.