Tackling risks based on how IT problems could affect business operations still befuddles some companies, despite industry hype ballyhooing risk management (RM) practices.
By adopting an RM approach, organizations are supposed to align security processes and deployments with business needs. They should also get staff to work together to keep the company focused on business initiatives while avoiding IT problems, and help department heads and IT leaders focus their resources and funding on appropriate security needs.
But how to execute a solid plan that defines, mitigates, manages and measures security risks to the business is unclear to some. One main reason for this is that exactly what risk management is has become amorphous.
"There's only one more phrase [than risk management] that is over-used and confused, and that's 'policy compliance.' It can mean so many things to so many people," says Stuart McClure, senior vice-president of risk management product development at McAfee, Inc.
This is why having a core definition of risk is the first step to devising an enterprise-wide risk strategy.
Understanding what risk means to the company will move it away from a reactionary approach to a more proactive stance, believes Greg Bell, a partner with KPMG's risk advisory services.
"Fundamentally, if you think about the health of security, it should start with good risk management practice," he says. This means understanding and identifying the nature of the risks to the organization and then, broadly, understanding the practices to support the business.
Before even approaching executives about executing such a strategy, Preston Wood, CISO of Zions Bancorporation headquartered in Salt Lake City, Utah, suggests making a point to understand exactly what informational assets are important to the business and how these help it to operate.
Knowing what is most important to the company is crucial to making a case for implementing, and then adhering to, an RM strategy, as well as deciding which resources will be required.
Mapping the risks associated with this critical business information is a step often missed by security practitioners, says Wood.
"It's really important that a lifecycle of risk management demonstrates that you can mitigate risk with what you're deploying," evidence that will help build trust and support from executive managers, he says. "[Then] you have to keep on indicating to management not only what you are doing, but that what you are doing is effective."
It is also crucial that there is organization-wide understanding that IT security pros are the custodians of business assets. But even before implementing a holistic enterprise RM program, department heads must bear some responsibility for the information they own and use, says Kevin Dickey, CISO of Contra Costa County in California.
"Make the business owners understand the risk, own the problem, and tell the IT people what to do to make [data] secure," he says. Failing this, business owners may end up putting the blame for any breaches of their departments' informational assets – for which they are also responsible – on the IT division.
At this point, says Dickey, it comes down to taking a lifecycle approach to managing risk. This entails working with departmental leaders to undertake a business impact analysis, which involves outlining business practices, prioritizing mission critical data, applications and network segments, and defining any regulatory requirements to comply with. Next, a plan to mitigate risks must be drafted, which will help clarify the effects on, and goals of, IT security.
Unfortunately, instead of involving appropriate department heads and other key corporate officials, one large financial institution's executives recently decided their company's risk should be owned by the CIO and IT group, says Kris Lovejoy, CTO of Consul Risk Management. Dedicating inordinate amounts of money to various IT security tools, they thought they were protecting critical information. Because of their efforts, however, productivity took a hit.
They deployed various security technologies, including identity management solutions that required multiple levels of permissions to access different files or applications. Failing to understand the goals of such initiatives or gain an understanding of the critical assets truly needing protecting, their haphazard technology deployments impeded staff from accessing applications for the simplest of duties, she recalls.
This leading institution's managers and their IT staff, while having the best of intentions, simply failed to adopt an RM strategy that aligned with the corporate strategy and business goals, she explains.
Luckily, more company executives are learning that addressing corporate risks is not just an IT security problem, but also an individual department's problem, says McAfee's McClure.
Companies have to know where the risks are, how best they should be addressed, try to mitigate them and then measure efforts. "I always call it, 'find and fix it, then manage and measure it'," he says.
By tackling security risks in this manner, the company should be able to ensure that day-to-day business processes are not hindered, he adds.
Indeed, KPMG's Bell notes that aligning risks to budget needs is often "a moving target, more art than science," adding that "one of the biggest mistakes is very simply continuing business as usual, without understanding the changes in the environment."
Ensuring that the RM strategy actually keeps the company in business will ultimately help IT security managers get the support they need from both their own bosses and department heads to address changing risks and their controls, says Zions' Wood. That support is crucial to managing and measuring controls, then modifying them when necessary.
According to McClure at McAfee, to reach such a conclusion requires business leaders and IT security pros to agree on a common language about risk, a structure to measure it, and the best practices to support it.
To accomplish this, all senior leaders from appropriate departments must participate on a risk metrics committee to define what the company is trying to achieve by implementing an RM strategy.
Such a group will define the acceptable risk level, decide on the standards to be used (such as ISO17799), and coordinate how adoption and oversight of these best practices are undertaken in each business unit. Systems or services to support these efforts can then be deployed.
"When we put together our own risk management strategy it was really data- and application-centric," says Wood. "We've classified our risk according to the data and how the application that manages that data works."
Looking at the flow of information and the various vectors through which it traveled, Zions helped to categorize the risk to its information assets. Involving business owners in performing risk assessments and translating the results of these to RM objectives helps IT security practitioners protect the company.
This means IT security goals are on the same page with corporate goals, he adds, with both enabling business endeavors while mitigating the risks to them.
"By defining your risk management strategy it allows you and your business to speak in the same terms, but it also gives you the opportunity to demonstrate to executive management that controls you put in place are effective. You know where to focus your time and energy," states Wood.
"People struggle with translating a security control or risk into business terminology. [But] if you can put yourself in the business person's shoes... then you are going to have a much easier road."