Every company has risk. In fact, risk can and should be construed as a good thing-no risk, no reward. What matters is how quickly a company can accurately identify current and future risk vectors and respond to them. In fact, risk management is becoming an increasingly important facet of how well a company executes, and companies that excel at it have discovered themselves with a newfound competitive advantage.
Why aren’t more companies “competing on risk?” According to a 2007 McKinsey survey, “many companies design their approach to IT around what they do-not what they could be doing.” The survey goes on to reveal that leading companies approach IT investments as they would a personal finance portfolio-classifying IT purchases as low-risk (stay in the race), medium-risk (win the race), or high-risk (change the rules of the race).
Another survey, by the IT Policy Compliance Group, found three categories of enterprise IT organizations: “leaders,” which they categorized as having an average of six compliance deficiencies, security-related business disruptions, or losses of sensitive data; the “norm” having an average of 17; and “laggards” averaging 65.
These surveys indicate that today’s corporations are much more risk-aware than some (such as security vendors) would think, and that despite conflicting opinions about what sort of risk management metrics matter and why, there are benchmarks for measuring how effective a company’s IT risk management efforts are.
So what distinguishes a leader from a laggard? Leaders are able to create the right mix of people, process and technology to implement clearly defined business processes that enable them to be more resilient amidst changing IT regulations and constantly evolving business requirements.
While process is only as good as the people and technology behind it, a good process can bring out the best in the people and technology that execute on it. As security organizations continue to adopt a more business oriented role, well thought out processes will play a key role in shaping tomorrow’s risk management leaders. Below is one that’s been adopted by large, heavily regulated companies. It’s no panacea, but it can provide a solid starting point for any company looking to embrace a more risk-aware approach to IT:
1) Prioritize the environment-In order to effectively manage risk, you need to know what your critical IT assets are-how many servers and applications, who uses and manages them, the type of data processed and stored. Some companies measure the assets’ relative importance to one another in terms of the business processes they support or the liability associated with the data they handle. Although many tools track this information, the trick is organizing it by business unit, geography, data center, product line, or some other groupings enabling analysts to use it on their terms, given how management may view risk or how an auditor may want to view compliance reports.
Identifying risks…
2) Identify risks and policies
There are several ways to identify risks and the policies required to manage them. The first is to identify standard IT operational policy controls used to protect critical information and assets and test to ensure they work. The risk of control failure can be calculated based on knowing how sensitive the protected information is, and how likely the control is to fail. Regulatory requirements often specify controls, but should not be assumed comprehensive for most organizations.
Another means to identify risks is to look at what others have already done to think through the problem. Organizations such as consultancies Deloitte Touche Tohmatsu and Protiviti have established IT-specific KRIs (key risk indicators) such as:
- Third-party and system breaches
- Changes resulting in production system disruptions
- Unavailability of qualified IT staff
Prioritizing risk (based on criticality) before policy control testing minimizes the amount of testing and the disruption caused when too many survey questions are posed to busy operations staff. It also provides IT operations with a basis for prioritizing the often complex task of fixing failed controls.
3) Test controls and identify gaps
For most organizations, control testing is typically a tedious, expensive process involving project management of questionnaires distributed to IT server and application owners, as well as gathering automated data from vulnerability scanners, security incident logs and network change management systems. From the mass of data gathered, gaps in the infrastructure are identified that require mitigation. Most organizations end up with “test fatigue” if they have no way of identifying what’s critical and what’s not, especially when testing is required for more than one regulation, like Sarbanes-Oxley 404 and PCI. Establishing a common set of critical controls that get tested once for multiple regulations is key to maximizing efficiencies and minimizing “burnout.”
4) Optimize mitigation
When hundreds of such control tests are performed, optimizing the work implied by the outcome requires application of risk scoring techniques. Risk scores are determined by asking key questions about the control, such as:
- How critical, in terms of business continuity or data privacy and protection, is the protected system to the business or to customers, regulators, partners, or shareholders?
- How much exposure does the protected system have to other systems, such as the Internet or partner systems, and how many users access the system?
- How likely is this system to fail the control test based on past performance or other information?
Once this is known, and risk scores are applied, priorities for IT operations can be established which leads to more productive and effective mitigation.
Report and monitor…
5) Continuously report and monitor
How companies, auditors, and regulators structure how reporting is done-what is reported to who, how often, and why, will ultimately distinguish the leaders from the laggards. For example, The Federal Information Security Management Act and industry mandates such as PCI are quickly moving in the direction of determining of compliance as a function of whether proper controls were in place and working at the time of a violation, rather than at the time of the last audit.
The practical logic of that approach makes a lot of sense in light of the first widely reported (possible) breach of personally identifiable information of by Geeks.com, which occurred despite a Scan Alert. “HackerSafe” certification displayed on its homepage. According to ScanAlert, there were several instances when Geeks.com was in fact out of compliance with their requirements for HackerSafe certification and the seal was revoked, and that it was during one of those instances when the breach most likely occurred. Just goes to show, compliance is a process-an ongoing process-not an event.
Despite the fact that risk and compliance management leaders reap the benefit of lower costs and higher productivity than their peers, according the IT Policy Compliance Institute, 9 out of 10 firms struggle with high rates of annual compliance deficiencies, business disruptions, data losses and thefts that could be prevented with better implemented IT policy compliance, risk, and governance programs.
In other words, “leaders” are still few and far between, and there is plenty of room for more. Ironically enough, if you follow the logic presented in these surveys, future leaders are going to be the ones with a high enough risk tolerance to make the people, process, and technology investments required to win the race. Is your company a leader or a laggard? Would it risk competing on risk? Can it afford not to?
Patrick Kerans is vice president of marketing at Agiliance. His responsibilities include marketing communications, demand creation, analyst and press relations, product strategy, and product and channel marketing.
Prior to joining Agiliance, Kerans served as head of marketing for Counterpane Internet Security (now BT Counterpane) in the managed security services market. Kerans has held management at Lotus/IBM and executive marketing positions at Altaway, which he co-founded, in the mobile data space. Prior to that, he held managing consultant roles at A.T. Kearney/EDS and Arthur D. Little, Inc.
Kerans holds a Bachelor of Science degree in Engineering from the University of Massachusetts, Amherst. He can be reached at pkerans@agiliance.com.