Campaigns addressing compliance with legislative mandates are becoming a large -- and growing -- portion of enterprise risk management (ERM) strategies.
Consequently, the employees charged with creating risk assessments are spending more time making sure their firms are in line with the Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and various other federal and state regulations. And because some regulations place the onus on high-ranking corporate officials to make sure the proper standards are in check, governance quickly has moved much higher up the ERM food chain -- a place experts say it is likely to stay for the near future.
Chris Thom, chief risk officer for MasterCard, says compliance has become one of his company's primary concerns in creating an ERM strategy.
"Because we are a kind of a franchise business, lending our name to other businesses, we need to search end to end [for potential risk] -- not just at MasterCard -- to see what problems there are," he says. "We map all of that together with our external and internal auditing and our Sarbanes-Oxley requirements."
While top-level executives historically wanted to hear only about financial risks and other threats in risk management meetings, now they're concerned about keeping themselves out of hot water through regulatory compliance. Rick Wenban, an information security consultant for Michaels Stores, says he's also seen that dramatic increase in the prioritization of compliance.
"It's very big," he says. "Five years ago, you never heard much of anything about governance."
Non-compliance, along with its legal and financial ramifications, is now considered a main threat by companies -- a drastic change of view in the last couple of years, according to Peter Tippett, Cybertrust's chief technology officer.
"The biggest increase we see in the long run is that people think of compliance as different from [ERM]," he says. "We think of compliance as just another risk -- and we need to fix risk."
Yet security experts note that while completing a checklist of compliance standards may ensure a company is on the right side of federal regulators, it in no way creates a holistic battle plan to defend against the unique daily threats that face every organization.
This confusion of governance laws as defensive strategies is one of the negative -- and all too common -- results of the emergence of governance as a chief ERM strategy, says Kris Lovejoy, CTO and vice president of technology and services at Consul Risk Management.
"The audit community is driving people to think that IT management is just a narrow list," she says. "But I'm always pretty positive about compliance. With Sarbanes-Oxley, it's all about me. It's all about protecting my interests."
This latest trend marks an obvious change of concerns from even a decade ago when executives didn't yet have Sarbanes-Oxley or, for that matter, vast IT security threats to worry about. Then, executives were free to concentrate their risk management dollars protecting their firms from strictly financial hazards.
But a completely different list of priorities arose, says Elliot Zember, vice president of industry solutions for IT security vendor FoxT.
"Even in 1999, you would have risk management meetings and it would all be about the risk of losing capital -- soft things," he says.
Now, IT security professionals are more in tune with their company's risk assessment strategies, although they should keep in mind that risk management and compliance are two distinct strategies. SOX or HIPAA guidelines aside, corporations must use something far more diverse than a routine checklist to create a holistic risk assessment strategy.
Companies must prioritize the risks they face, using their own histories, threats and unique business endeavors to determine which dangers receive more resources.
Executives should then determine how much of its resources -- both personnel and financial -- a company will put toward a threat, depending on its pertinence, says Randy Sanovic, general director, information systems security, GM.
"Often, based on limited resources, you will need to determine what priorities you want to protect and others you may appropriately only contain, isolate, simply eradicate, etc.," he says. "You should also determine if, based on risk assessment/management tenants, you want to construct your protection mechanisms to be reactive or proactive. This choice may be based on the availability of technological capability, as well as the related costs."
Companies must create a list of prioritized threats against its assets before determining which areas need the most attention, according to Chris Kenworthy, senior vice president of field and product marketing for McAfee and a former Foundstone executive.
"For any company's business, one of the biggest parts of risk management is prioritization. Foundstone started forming on that years ago," he says. "Security products used to create a lot of data. But it all comes down to prioritization, what people do and don't have to worry about."
This takes more than just writing down threats on a napkin. Research -- including the use of enterprise-level threat metrics for the software and applications a company uses -- can help executives realize what threats will come their way during a fiscal year.
Researching what your superiors have in mind also helps in determining a risk strategy, says Wenban.
"The first thing I do is interview senior management and get an idea of what kind of pain threshold they have for risk management," he says. "Later I'll pull together all of the different audits they have."
Just opening the checkbook doesn't make for a coherent strategy either. Companies that just buy products to fix IT security holes -- without creating an actual strategy -- may find themselves wasting money.
At times, a product can become an organization's own worst enemy, as executives sometimes must secure a product that they bought to protect their systems, says Will Gessner, executive vice president for global operations and head of the risk management business unit at ISG NovaSoft, a leading industrial group.
"Having been a CIO for many years, what you don't want to do is have a tool that's going to be an end in itself. You want a tool that's going to be a means to an end," he says. "You don't want a product that is going to have to be audited itself."
Purchasing products that become liabilities in themselves or just "throwing money at the problem" without holistic analysis can become a problem both for the IT security professionals on the front lines of security and for the executives keeping an eye on the company's bottom line.
The establishment of a thorough risk management policy is more than just a solid protection of company interests -- its also good business policy. While not a replacement for good risk assessment planning, staying up-to-date on regulatory responsibilities helps businesses maintain a good reputation with clients. After all, what prospective partner wants to worry about a company's noncompliance with HIPAA, SOX or any of a list of other standards, says FoxT's Zember.
"How much is it worth to you that you can point out to clients that you are SOX compliant?" he says. "For one, your CEO doesn't go to jail."
Likewise, when presenting an overall risk management strategy to company executives, CTOs should strive to point out where their efforts to keep assets safe will actually save the company money, according to security professionals. Then, firms have more financial independence since a good security policy frees up companies to move spending to other places, says Kerry Bailey, vice president of global services, Cybertrust.
"Companies that do already have a good security strategy in place can then spend money much more easily than other companies can," he says.
Another rule of thumb for presenting strategies to superiors: Don't blow threats out of proportion, says GM's Sanovic.
"Don't be an alarmist," he says. "Instead, focus on reducing or eliminating business risk/impact, and thereby maintaining or adding to the enterprise's bottom line, i.e., net revenue."
Another tip is to present executives with information emphasizing how your proposed strategy fits into overall business and security plans, says Sanovic.
"It may help to show you've done due diligence by presenting several prioritized security related investment choices, but only recommending the ones that maximize risk reduction and have the greatest business benefits," he says.
Even having all of the necessary information is only half of clarifying a strategy to an executive. Often it helps to put oneself in the position of a top-ranking company official responsible for keeping the company checkbook tight.
"If we can go to a chief financial officer and say, 'This is where we're going to reduce risk and save this much,' any CFO can see that," says Cybertrust's Tippett.
Of course, CFOs have more on their plates than just security, an important point to remember when presenting a risk strategy, says Michaels Stores' Wenban.
"If I start talking too much tech stuff, their eyes glaze over," he said.
Done properly, an all-encompassing risk management strategy explaining the benefits -- financial and other -- could be just what a financial executive wants to see, adds McAfee's Kenworthy.
"A good risk management strategy actually saves you money," he says. "You spend where it's worth it, and you don't spend where it's not worth it."
THE PROCESS: Four steps to take
There are four stages of the security risk management process. They include:
1. Security Risk Assessment -- This is an objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability of losses to those assets. A security risk assessment reviews the threat environment of the organization, the value of the assets, the criticality of systems, the vulnerabilities of the security controls, the impact of expected losses, and recommendations for additional controls to reduce risk.
2. Test and Review -- Security testing is the examination of the security controls against the security requirements. Security controls are determined during the security risk assessment and tested during security testing efforts.
3. Risk Mitigation -- Risks to an organization's assets are reduced through the implementation of new security controls of the improvement of existing controls. Security risk assessments provide information to allow the senior management to make risk-based decisions for the development of new controls or expenditure of resources on security improvements on existing controls.
4. Operational Security -- The implementation of most security controls are performed by operational personnel. Daily and weekly activities such as applying patches, performing account maintenance, and providing security awareness training are essential for maintaining an adequate security posture.
-- Douglas Landoll, general manager of security services, En Pointe Technologies
GETTING IN LINE: Security control standards
Among the standards and regulations that provide a list of required security controls are the following:
- Generally Accepted Information Security Practices (GAISP)
- Common Objectives for IT (COBIT)
- Information Technology -- Code of Practice for Information Security Management (ISO 17799)
- National Institute of Standards and Technology (NIST) Special Publication 800-12 (NIST Computer Security Handbook)
- Health Insurance Portability and Accountability Act (HIPAA), Final Security Rule (HIPAA Security)
- Financial Modernization Act of 1999, also known as Gramm-Leach-Bliley Act (GLBA)
- DCID 6/3 Manual -- Protecting Sensitive Compartmented Information within Information Systems
- NIST Special Publication 800-53 (Recommended Controls For Federal Information Systems).
-- Douglas Landoll, general manager of security services, En Pointe Technologies, from his new book, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments.