A post after my own heart. We need to take a step back and look at the bigger picture when it comes to risk management. What is important, what can go wrong, how can it go wrong, who can make it go wrong? Is it really important? What is the method, motivation and opportunity? Very good read!
Business is changing. Our recent (or current) 1-in-a-100-year economic event has sparked a much needed renewed focus on corporate governance. For us in the risk world this presents an opportunity to emphasise the need for good governance and internal control. Risk management is a critical success factor for an organisation operating in the current and post-economic downturn world. One can assume that only those companies with strong risk management principles (and integrity) made it through the tough times intact. By itself this achievement can be utilised to instil confidence in consumers and clients which will have a positive impact on business. For example, adopting and implementing a compliance program such as ISO27001 (for the right reasons) exhibits appropriate management of information security and can be a business enabler. In time, with the increase in regulatory and compliance requirements, the inability to manage and market sound internal control processes adequately may become a barrier to take on new business or chase market share.
Coupled with the ability to outwardly display good information security governance is the requirement to be agile and take advantage of business changes while still maintaining a sound security environment. From a technology perspective this is the common problem of new devices and ‘business’ toys finding their way into the work environment without InfoSec having a chance to perform a risk assessment and implement the requisite controls. The increasingly blurry line between business and personal devices and associated communications exacerbates the issue. The greater the lag time between implementation and security the more risk the company faces. In a high performing environment the security team will be ahead of the curve and already have plans in place before the technology is brought in. However budget challenges in today’s environment while companies get back onto the front foot could impact the recruitment process and ultimately the capability of the InfoSec team to deliver.
Agility from the information security team is also important to support the business while they exploit opportunities. Some noteworthy activity tool place in the SA mergers and acquisitions space last year (HSBC & Wal-Mart), and according to the NY Times this global trend will continue due to low interest rates, cash surplus and distressed companies. InfoSec teams need to be involved in these deals from the start to identify and manage risks relating to the consolidation of environments, security models, culture and management of intellectual property. M&As can be a risky process for businesses, and support from the relevant risk management and assurance providers can help prevent unwanted surprises further down the line.
The trend of buy-outs and takeovers is also shaping IT Security landscape – Intel bought McAfee and IBM bought Guardium – showing that these giants recognise security as a key pillar of IT and not an afterthought. Their solutions may well provide a foundation to manage security throughout the IT lifecycle as customers require greater visibility and management of information. The recent purchase of Open Pages (GRC software) by IBM shows a well needed expansion into the broader risk management world outside of pure IT, so we can expect more end-to-end solutions addressing IT service delivery, architecture, business process and risk management.
Together with King III principles this new technology solution may provide the catalyst assurance providers need to collaborate and work smarter. We need to take a critical look at our risk assessment processes to ensure key risks are prioritised properly and have adequate coverage (defence-in-depth is nothing new to the Information Security world). The complexity and change in business environments necessitates collaboration as no single division has the capability to identify, manage or control end-to-end business risk. The other tangible benefit will be to avoid duplication of certain activities between InfoSec, Operational Risk and Audit (for example), which can either have a positive impact on the bottom line through a reduction in hours charged, or freeing up time to spend looking at more strategic risks.
In conclusion to this somewhat broad sweeping post, more can be done to improve and market information security risk in our current climate. External factors have resulted in trying conditions for many organisations, but they also do present opportunity and provide new solutions to assist business security management. Strong internal security controls limit operational costs and increase process efficiencies, both of which have an intrinsic link to external confidence. The value can also be less tangible, but means allocation of fewer resources to fire-fighting and more for strategic planning, resulting in cost optimisation and process improvement.
I’ve been giving some thought to what makes a good risk management function. What follows is a summary of the 7 key attributes or processes I settled on, in no particular order. It is worth noting that this is not specific to IT or information security, but any environment where risk needs to be managed.
Be firm but fair. Always exercise professional scepticism when evaluating the effectiveness of a control environment. Just because someone says something works doesn’t necessarily mean it works as it should. Independence in also important – those too close to a process are not always in the best position to identify risks.
2. Risk assessment and reassessment
People, processes, the environment, technology, everything and anything changes. Consider the rate of change and other factors (such as incidents) and define a formal plan for revisiting the risk assessment phase. Check that your attributes, ratings and area of assessment are still valid.
3. Refinement of controls
In conjunction with #2 revisit controls and associated processes to validate these are effective and efficient. Even if the environment (and risk) hasn’t changed, there may be a better way of managing the risk such as with a new technology. Using maturity models can help to track and measure changes in the effectiveness of controls. Although monitoring controls is a fundamental part of risk management (as in the prescribed Plan-Do-Check-Act methodology), this does not constitute independent review. Make sure your audit team has a look at the control environment to give their view.
4. Collaboration with other risk management functions
Work environments can be very complex. Many systems, processes, laws, regulations and other attributes combine to keep a business working. It is nearly impossible for a single division to have 1) the knowledge required to understand all risks, and 2) the visibility of all components of the business. Even those teams with similar skill sets (such as IT security and IT audit) have different objectives and so need to work together to help the business manage risk effectively. Rather than working in isolation there is more value in assurance providers and risk managers working together to ensure appropriate lines of defence are in place while avoiding duplication of efforts (i.e. combined assurance).
5. Awareness and training
The possible high rates of change in an environment (systems, business processes, risks, technologies or regulation) pose a challenge to those that are responsible for identifying and managing risks. Continued learning and awareness are fundamental requirements to obtain and sustain the necessary knowledge of the environment and associated risks. At the same time we are challenged by having too much information easily available, so it is important to filter out what is relevant and to identify trustworthy sources. Engaging with other professionals within this pretext is a great way of keeping up to date with changes relevant to your environment.
6. Collaboration with business
Apart from making the work place more pleasant, there is value in building a trusted relationship between risk managers/assurance providers and business stakeholders. The more these parties engage the more opportunity there is for knowledge transfer. The more a risk manager knows about the environment in which they operate the more effective they can be and the more value they can demonstrate.
Most (if not all) divisions have the business’ best interests at heart, including risk functions. A risk manager’s job is not to always err on the side of caution and drive the control environment to such an extent that all risks are fully mitigated as this hinders the business’ ability to operate or perform successfully. Many businesses need to take risks to make money, and it is the responsibility of risk functions to allow them to do so while managing risks to an acceptable level. Managing risks is not always about fully mitigating them.
We (can hopefully) assume that most people are inherently risk averse when it comes to their work environment. We perform our duties with good intentions and expect our relevant skills and experience to keep us from exposing our business to unnecessary risk as this will have an impact on our own brand as well as the organisation in some way, shape or form. In fact, we could propose that in many cases when an employee does expose their business to risk this is because they are unaware of the potential consequences of their actions, which talks to possible breakdowns in the internal awareness training and control environment (think of a tekkie posting a question on a Forum asking for troubleshooting advice and including the specifics of hardware, software and network configuration).
If entrusting everyone to do their roles as we expect was a feasible risk management approach, then there would be little use for the assurance providers and risk managers in an organisation. Sadly this is not the case, and despite our best intentions we may not always identify risks in our own actions. The level of risk may increase over time, starting at an acceptable level, but then rise due to a range of factors such as more reliance placed on an individual, business process changes or external events. The danger is that this could happen without management being aware.
Identification of risk and monitoring of control effectiveness are key roles to work in conjunction with operations. Often those working in the operational roles may become blinded to risk identification as they are (correctly) focused on their operational activities and often not the bigger picture.
For example, a DBA managing a set of systems may prove to be exceptional in managing, optimising and controlling her databases, and thus management assigns more databases to her portfolio. As the number of databases under her management increase, so too could the amount of critical or sensitive information within her reach. Management understands that this information requires additional controls, and tasks the DBA to build in a robust monitoring solution.
An independent party (e.g. second or third line of defence) will easily pick up that the person responsible for managing the database environment is also the same person responsible for securing it. This lack of segregation of roles may be overlooked by management due to the trust element and high performance of the DBA in question. Despite this the scenario still presents a threat to the organisation by providing an opportunity and method for malicious activity to be executed without detection. All that is required is motivation (which could take many forms) and the risk becomes very real.
My point is that everyone has a role to play in identifying and managing risks while allowing the business to perform efficiently. The operations team in this instance must acknowledge that the independent risk managers have correctly identified a risk that needs to be managed.
On the other end of the scale it is also easy for risk managers to err on the side of caution and to avoid risk rather than looking to manage it. It is forgivable to be cautious in the current economic environment, but this stifling of management’s intentions could also have a negative impact on the bottom line as opportunities could be missed.
We can’t expect everyone to be experts in both operations and risk management, as each side needs to have a deep understanding of their areas within the context of the business. Rather, it is a fundamental requirement to establish a trusted environment between the disciplines through identifying the relationships and tensions that exist between the various teams. In this way the business can prevent each discipline from restricting the other’s effectiveness, as in the end both are equally important to support and sustain the organisation’s strategy.