Rise Of Risk Management

In the words of a fellow Chicagoan, never let a good crisis go to waste. A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. When the bad guys make news, it's big news: Just the speculation back in December that WikiLeaks might reveal Bank of America data, for example, briefly sent the company's stock down 3%, before it bounced back. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies' IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

We've been talking the risk talk for years. Now it's time to walk the walk, as a team.

What does that mean, exactly? We need to articulate the value proposition for our security spending--what the business is gaining--in a manner executive management can digest. Sure, there's been pressure before to associate business risks and the cost of corresponding controls, and plenty of CISOs have slung plenty of shaky financials.

Drop the charade. Commit to shifting the focus from fire drills to the business of information security, and you can finally move from being a cost center to a strategic asset that delivers a real competitive advantage. "Our holistic program for identifying and managing IT risk has moved our culture from risk awareness to risk intelligence," says a director at a medical device company. "We have been able to educate the business and help them understand that IT risk is business risk."

Company size and vertical industry don't matter here. Large enterprises have skin in this game because their executives are accountable and their reputations are on the line. Smaller businesses that provide services or products to large enterprises care because their customers expect them to meet rules and regulations, whether PCI, HIPAA, or state-level data privacy laws. Bouncing from one tactical project to another without a master plan is a losing proposition. We've found that companies that manage risk more effectively than their peers perform better financially--in any economy.

Risk Avengers

Tenets of Risk Oriented Security
Become an InformationWeek Analytics subscriber and get our full report on risk management.
This report includes 40-plus pages of action-oriented analysis packed with 24 charts. What you'll find:

Get This And All Our Reports

Start Moving

Our experience working with a range of clients shows this transition is coming, ready or not. The drivers to adopt a risk-oriented strategy almost always involve a combination of six universal complaints:

>> Security's status and legitimacy constantly fluctuate. Big, scary events, like the attack on Google or the WikiLeaks data dumps, bring attention to the need for security. But then, adding restrictions to prevent such events results in grumbling and attempts to bypass controls. We need some equilibrium.

>> Security executives struggle to convey information effectively to their business counterparts and the board. Headline-making events like the Heartland breach clearly show what security flaws can do to the brand, but you can't depend on cautionary tales to get your message across.

>> Security executives may also struggle to articulate the business value of their programs; see items 1 and 2. It's not always easy to connect the dots on how hardening an operating system makes money for the company. OK, it's never easy.

>> Rank-and-file security teams working to bring together various silos, from compliance to audit, often end up in the middle of unproductive turf wars.

>> Security projects go haywire-- maybe the program faces stiff organizational resistance or costs exceed expectations, and then, adding insult to injury, those expensive controls are only moderately effective.

>> There's constant and time-consuming grappling among security, compliance, and operational teams for power and budget. In particular, we often see information security and compliance positioned in a manner that virtually guarantees conflicts of interest, and as physical and logical security continue to merge--for example, as badges and computer credentials are linked--there are bound to be questions of who's responsible for what.

We've all faced riffs on these problems for years. A risk-oriented approach will help in every area.

If you're ready for a change, adjust your mind-set in two fundamental ways. First, expand your scope to include at least information security and technology risk, operational risk, and compliance as you work to transition away from tactical security and point projects. Second, think about the ongoing role of the security team. A holistic, risk-based approach is one where security efforts are targeted, relevant, and adaptable enough to be effective, no matter what direction the business moves.

It's as much an opportunity for alignment as it is a call for change.

Get Your Zen On

There are plenty of circular arguments about risk that make us want to stick our heads in the sand. Elaborate frameworks and expensive technologies will fall short or fail outright, and pundits will keep spouting what will often feel like (and, in fact, is) bunk. But there's a grain of truth in all this expansionism. In our survey, 40% of respondents say their companies will extend their risk programs to be more comprehensive. They have to, because the tenets of risk management, which we outline in the story on p. 36, are deceptively simple. When you really wrap your brain around what it takes to assign asset values, threats, controls, policies, procedures, responsibilities, and workflows, and then manage them across organizational, jurisdictional, regulatory, and even national boundaries, it becomes clear that we need all the inclusiveness we can get. But similar to the evolution from the firewall jockey who ruled 10 years ago to the information security manager and professional CISO of today, risk management is ready to become an over- riding model.

And that can't happen until someone takes charge.

Rise Of The CRO

Ten years ago, CEOs we worked with wanted a few fairly straightforward things: one person to be responsible for the security staff and technology, a basic action plan, and a reasonable budget with some pretty graphs. Soon, CISOs started springing up like spring crocuses.

Today, business execs at Global 50 companies and SMBs alike want their risk management programs to incorporate information security and technology risk, operational risk, and compliance. They want information security that has a solid value proposition, with quantifiable metrics. They want a cohesive account of what they should be worried about and, just as important, what they shouldn't. They want a single source able to provide a concise assessment of the company's risk profile at any given moment, and a list of investments most likely to mitigate future risk. And particularly when things are going from bad to worse, they don't want various assessments from IT, compliance, and business teams protecting their turf or shirking accountability.

In short, they want one individual to take ownership of all of the above, and our experience shows they're now willing to pay for it.

Enter the chief risk officer.

While just 3% of respondents to our survey say a CRO is the primary owner of the IT risk management program within their companies, we think that within a few years, the role will be commonplace, especially in large enterprises. However, to bring everyone together, the CRO must be able to form an agile organization that can dodge and weave and evolve with the regulatory climate, attacker landscape, budgetary cycles, and industry dynamics. The CRO must have a vision compelling enough to silence the inevitable naysayers and gain cooperation from people with many different priorities.

The ideal candidate will have technical, financial, and operational chops and the authority to institute and enforce standards. If you can't see yourself explaining to the head of e-commerce why (and how) secure coding practices must be implemented for the largest revenue-generating arm of a global retailer, this isn't the job for you.

We worked with a security executive at a major retailer who took the initiative to team with his CRO and aggressively begin the transition to enterprise-wide risk-based management. The company pushed through a reorganization that established risk as a core business function of security. That's key. Now, whenever an IT decision is made, security is a foundational element, not something tacked on later. If you've ever been asked to do a code review on an application that's already been rolled out to half the company, you know that duct-taping security on after the fact is always more expensive and less effective. Because of its risk focus, the company not only doesn't pay that premium, it's able to invest in such big-picture cross-functional efforts as global policy and infrastructure reengineering.

Having an overriding strategy is even more important for organizations that are struggling. In this company, the operations group is working at 120% capacity, but operating systems still must be hardened before they're deployed. How, when the staff is stretched to the limit? Because security leadership is participating throughout the project planning process and having security requirements included in the timeline and scope, the team is getting funding. And as a result of incorporating business risk as the value proposition for security controls, it's able to develop standards for the enterprise to use, and reuse. Meanwhile, these leaders frequently meet with their business counterparts to understand their priorities, so their requirements and concerns are reflected in the security group's strategy and budget. Now, when business problems arise down the road, technologies should be in place to address them.

No surprise, this company is now on a solid path. Resources are still tight, but the security team as a whole has proved it's willing to do what it takes to transition security from a cost center to an asset.

The bar is set high.

Words Matter

"Risk" has always been in the information security lexicon; however, the risks we like to talk about aren't the ones that keep executives awake at night. The CEO doesn't care about which firewall you're running or that your antivirus stopped 73 pieces of malware yesterday. So when making the case for a risk-centric security structure, stop throwing out the latest stats about spam or viruses or malicious packets and start talking about the stability and availability of the systems and services that drive the business. The executives we work with worry about what regulators will find in an audit, and if there could be financial repercussions. They care about protecting the company's intellectual property as well as customers' data. They care about not showing up on the front page of the newspaper because of a breach. They care, in short, about the bottom line.

"It's like asking how much money my insurance policy saves," says one VP of IT, in a classic argument about the returns on a risk management program. And of course, quantifying losses avoided or risks mitigated is difficult. But our survey respondents say their risk management programs will provide tangible value. When we ask them about the cost savings or expense of risk management initiatives, their top answer, at 31%, is that they'll save the company a little time and money; 30% say they will save a great deal of time and money.

In the long term, absolutely. For now, most companies we work with find that risk programs aren't simple to implement; they require a deep commitment to change. Holistic is expensive. When we ask what's holding back those companies without formal IT risk management programs, respondents cite a lack of management will, lack of budget, and lack of time and manpower (read: not enough money). Traditionally, risk has been managed in an ad hoc fashion within various organizational silos and business units. Sometimes one individual is responsible for compliance, but more often than not, we see responsibility scattered across various units. Accountability is hit or miss.

Changing that structure isn't cheap or easy, but there's a lot at stake. Globalization and outsourcing are here to stay. Competition is fierce. Either define yourself and your company as an agent of change or get out of the way. And don't think you can do that by narrowing your scope. In our survey, 65% of respondents say their programs don't include operational, financial, or business risks, though they will be expanding. Reduce your sphere of responsibility too much and you may end up on the outside looking in.

The Hurdles

OK, so how to get there. We'll lay out some steps later, but there are five larger roadblocks to address.

>> Multiple parties vying for power, opportunity, and relevance. Risk management crosses many fiefdoms: CIO, CISO, compliance officers, even internal audit, insurance, and legal all want a stake. Meanwhile, the security team doesn't own the risk lexicon. Don't try to dazzle colleagues with jargon; engage them and leverage their experience and expertise.

>> Limited success and confidence from the organization. Security teams have been slogging along for years, straining to be heard and respected, yet compromised systems, data loss, and perimeter breaches are still common.

Companies that should know better deploy systems and devices with default configurations, run old and vulnerable versions of operating systems, can't manage to patch critical systems, and have no secure application coding policies. Consider our survey responses when we ask how effective security programs are: Only 10% rate their programs excellent. Thirty-eight percent select generally satisfactory, and the remaining 52% go downhill from there.

The information security officer for a state-level government law enforcement organization reflects on this malaise: "General thinking in management is, 'It has never happened before, so it won't happen in the future,' and, 'If it does happen, no problem as long as it doesn't happen on my watch.'" This law-enforcement group, which has more than 5,000 workers, employs one lone CISSP.

>> An inability to develop and execute on a vision. Maybe you think you don't have time to do strategic planning. Often, companies don't expect it of CISOs and security managers, so they have not gotten in the habit of thinking long term.

>> A perception of security teams as combative and obstinate, prone to slinging fear, uncertainty, and doubt to force change. There, we said it. Always pointing out your technical superiority and the problems your users cause is no way to build camaraderie. We haven't driven everyone away--64% of survey respondents say business executives and IT are either fully or generally in agreement on risk management program priorities, activities, and value. Just 4% say those groups are at loggerheads. But it's not just the CEO you need to win over. Alliances are at the heart of risk-based security.

One of our clients has long struggled to do regular information security assessments. It's a sensitive subject--systems aren't as stable as they should be. The IT team already works six-day weeks, and there were no known compromises to force the issue. Finally, the security team allied itself with the audit group, aligning its responsibilities with a critical area of concern to the business. Security was no longer the lone shepherd crying wolf.

>> The security technology landscape isn't helping our cause. Standard defenses like antivirus software are ineffective and expensive, Web application firewalls require security teams to know as much application logic as developers, and a parade of new end-user devices and computing paradigms only adds to the problem. Take the iPad and smartphones. They've become standard gear for sales teams, but mobile device management policies haven't kept up.

Under the old security model, sales executives were expected to get clearance before letting their staffs upload sensitive information, like price lists, to mobile devices. But we all know that isn't happening. The cloud is another example of how rapid change is outpacing our ability to ensure security. Forget putting the brakes on; mobility and cloud services are seen as bringing competitive advantage. Maybe the risks involved are worthwhile, maybe they aren't. It's not your job to decide. Your job is to be a trusted adviser, providing the risk analysis that will let business leaders make informed decisions.

We've faced power struggles and technical roadblocks before. Smart infosec teams will see this period of transition as an opportunity to reengineer themselves and their organizations.

If it sounds like we're telling you to embrace turmoil, you're half right. But here's the flip side: A risk-management-centric security strategy can be a vast improvement over how we're living today. Imagine that instead of fighting to be heard, you're working with the business toward a shared vision. That can't happen until you have a coherent way to set policies and select technologies.

Eight-Step Program

Some companies wouldn't dream of deploying software until version 2.0; let the early adopters work out the kinks. In much the same way, the risk management movement has been gaining momentum over the past several years. Forward-thinking organizations kept the pressure on vendors and standards bodies to provide the tools and frameworks to make a comprehensive risk-oriented approach possible; now, you can reap the benefits.

As we discuss in our full report, there are plenty of frameworks, tools, and best practices in place. To get started:

>> Take a small step by putting together a registry and controls library for tracking the risks your organization faces--unpatched systems, ineffective processes--and documenting related data, such as who owns the asset and expected mitigation dates. At this point, a spreadsheet is all you need.

>> Develop and maintain a services inventory. What are the IT services on which the business runs? Think about your e-commerce platform, customer support systems, cloud-based storage. How important are they? What are key characteristics--is there sensitive data involved? What about the servers that comprise the system--are they physical or virtual, and where are they? List all the assets that make up each service.

>> Identify allies. Present your vision to senior executives in as many business units as possible, from sales to customer service, HR, and finance. We often find IT is surprised at the warm reception they get.

>> Establish a vision: What will enable you to successfully transition to a risk-management- and analysis-based approach? Identify both tactical and strategic objectives.

Consider this timeline: Define the guiding framework in 60 days, establish values for all critical and sensitive assets in six months, have an established risk analysis procedure in place in nine months, meet framework compliance in 24 months.

>> Select a guiding risk management framework. These frameworks, which we discuss in the story on p. 38 generally have the same core components, so don't get bogged down obsessing over your choice.

>> Reboot your relationships with management, peers, and business colleagues. What must you as a security professional do differently to make sure everyone is working toward the same goal--managing risk--rather than being reactive, jumping from exploit to exploit? How can you convey information so that everyone understands the new vision?

>> Identify critical areas of risk that have no owner or have consistently caused the business problems, and propose a plan for addressing them. First, tackle problems that are within your current sphere of influence or responsibility and cause the business particular pain and angst. Separate quick projects from long-haul efforts. Apply easy fixes, let people know how they'll save money and/or make the company safer or more competitive, then use the resulting goodwill to hammer away at bigger stuff.

>> Tailor your pitches based on what keeps people awake at night. The security team worries about military-grade hackers. Executives worry about being held personally liable, if only in the court of public opinion. Compliance officers see the regulatory climate shifting, and the CFO has shareholders asking for more transparency. All of these problems can be addressed with a comprehensive risk-based program.

Erik Bataller is a senior security consultant with Chicago-based risk management consultancy Neohapsis.

Continue to the sidebars:
Risk Management in a Box?
and
Tenets of Risk-Based Security Management

InformationWeek: Jan. 31, 2011 Issue

Download a free PDF of InformationWeek magazine
(registration required)