IT, security and the business have important shared objectives: 1) raise stakeholder value, 2) drive performance improvements, 3) ensure compliance across activities and operations, and 4) protect the organization, its assets and its people.
We’ve seen breath-taking and awe-inducing changes over the last few years – the rise of a digital universe that is global, social, mobile and interconnected; the double-edged sword of innovation and rising risk profiles; the flight of business to the cloud; and IT/OT transforming to the orchestrator model. New technologies bring new risks, and it is becoming clear that there are growing disconnects between IT, security and the business on what this really means.
In the midst of all of this change, leadership, senior management and employees alike feel extreme pressure from customers, regulators and suppliers, all of whom demand explanations as to how their risks are being identified, managed and controlled. This can be a real challenge in the midst of increased threats, regulatory complexity and pressures to demonstrate control over material risks. In order to both support the strategic objectives of our organization, and just plain do our job in keeping critical processes running and sensitive assets protected, we need to build a common language and discussion framework to understand risk appetites and scenarios, and also identify and discuss risks in a context that the board and business can understand and use in decision making.
Here are five fundamental questions, identified by Yo Delmar, vice president of GRC solutions at MetricStream, a provider of governance, (IT) risk and compliance (GRC) solutions, that we need to answer in order to get IT, security and the business on the same page with a 360-degree view of risk. Working with siloed views of risk is not an option anymore – the stakes are just too high for us to continue forward with the status quo.
Click through for five fundamental questions that we need to answer in order to get IT, security and the business on the same page with a 360-degree view of risk, as identified by Yo Delmar, vice president of GRC solutions at MetricStream.
Just how much risk is leadership willing to take in a particular area? How high is the bar? The board is required to set risk appetites, which senior management translates into thresholds, which in turn are mapped to policies that govern the behavior of people, processes and systems. Once established, policies, controls and reporting can be calibrated to feed the right indicators that allow management to make decisions to avoid, treat or transfer risk efficiently and effectively. But this starts at the top; key stakeholders must define their risk appetite and executives must agree. Everything depends on the right formulation of thresholds, policies and controls and, ultimately, what is viewed and expressed as a risk. Without a good formulation of risk appetite, it is simply impossible for the organization to effectively manage their risk.
The business owns risk. Too often we see IT and security professionals signing off on risks that really belong to the business. It is often difficult to get the business to own or sign off on risks that have security or technology components that they simply do not understand. Sometimes we believe we have a separate set of “security risks” or “technology risks” that when viewed in the context of the business, are more like control failures, threats or vulnerabilities. But traditional risk managers like to see risks described in terms of their potential business impact – probable loss magnitudes – and in IT and security that’s often difficult to do.
For example, how do we tie vulnerability due to an unpatched piece of software or an access control violation to probable loss for the business? It’s easier when we talk about availability – we can often measure the effect of an outage on revenue if, say, the e-commerce site is down. But measuring the impact of a potential breach due to one of 10,000 vulnerabilities is more tenuous. It’s critical to map threats and vulnerabilities unique to security and IT to business processes, impacts and thresholds in order to move the business to take rightful ownership.
It’s important to develop a common language when speaking about risk; one person’s risk assessment is another person’s control review, and they aren’t the same thing. Develop a “risk ontology” that defines elements of risk, their relationships to one another, as well the rules and calculations that determine what’s a real risk and what isn’t. Extend the traditional risk and control framework to a policy, risk, control and asset framework. Focusing on key performance indicators (KPIs), key risk indicators (KRIs) and key control indicators (KCIs) as a set of financial and non-financial metrics will help to provide insight into areas of potential risk, as well as show warning signals of possible loss events and other exposures.
It’s essential to make the transition from risk and compliance “identification” to risk and compliance “analysis,” and, finally, risk and compliance “intelligence.” Technology can provide a powerful foundation for analytics and automate much of the governance, risk and compliance process – especially as more automated continuous monitoring and measurement is available through the technology ecosystem.
Risk and compliance monitoring on an ongoing basis is essential to managing risk. We monitor and measure anomalies so we can take the right actions to get things back in line when thresholds are crossed. More and more, technology is being leveraged to provide continuous monitoring of technical controls on infrastructure assets, as well as transactions within applications. Monitoring provides some measure of confidence that policies and controls are being adhered to and that threats and vulnerabilities are being managed. Know what you need to monitor and the right frequency.
To make it really effective, monitor against defined baselines, standards and acceptable thresholds that have been set by the business. Use key performance indicators (KPIs), key risk indicators (KRIs) and key control indicators (KCIs) that are mapped back to business processes to provide early warning alerts so that you can be proactive.
Leadership needs to know the size, the scope and the scale of risk in order to give guidance on how to manage it. Organizations need to develop a clear picture of the top risks, and how they translate down through a hierarchy to lower-level controls with an easy-to-understand risk model. You’ll need to get agreement on classification schemes to provide context. Leverage best practice control frameworks and international standards and assess as many aspects of the risk model as possible.
Use conversations with leadership to identify threat communities and their most likely attack vectors, motivations to access various assets, and skill levels. Model threat frequency and determine if controls on assets provide the right level of resistance to threats. Provide default ranges to risk analysts to help them in their analysis. Encourage risk analysts and subject matter experts to stay current with emerging threats and control standards, and revisit models frequently.