Integrating security into broader risk management
April 2016 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
It’s a fact that today’s businesses run on technology. The business applications we deploy help organisations be more efficient, help them service larger markets, and help business teams be more agile and move more quickly. More broadly, external services like cloud and mobility help employees be productive at any time, from anywhere on the planet.
Obviously, business benefits associated with these technological improvements can be huge. But, as anybody who has even cursorily glanced through the headlines recently can attest, sometimes there can be risk areas that arise as a result of the use of this same technology. It is a double-edged sword. We have seen breaches galore, criminals holding organisational information for ransom or otherwise committing fraud or extortion, and critical back-breaking issues that have left the unfortunate business they impact reeling.
This means that today, cyber security (the discipline of keeping organisations protected from security issues and thereby ensuring that technical risks are appropriately mitigated) is increasing in importance in a manner proportional to business value that technology adoption brings to the table. This spells a challenge though in practice. Why? Because at the highest levels of the organisation, there is often a disconnect when it comes to cyber security. Often, activities performed and decisions made at the technical level don’t propagate into broader risk management efforts – this means they don’t always have the visibility upwards that might be optimal.
It is true that some enterprises have embraced a holistic enterprise risk management (ERM) approach and integrated technical risk into their broader strategy of risk management. But frankly, this is the exception rather than the norm. Instead, what often happens is that technical activities occur and – much like leukocytes (white blood cells) fighting disease in your body – the actual work of keeping the technical risks managed happens in what is an invisible fashion. Or, at least, it is invisible from the point of view of the risk management structures that the organisation has so diligently stood up. For example, an organisation might have a risk management function that evaluates business risk generally (or several depending on industry and organisation size) that has little or no interaction with these more technical areas.
This is problematic for a few reasons. First, it means that the organisation may not have an accurate understanding of all the risk in play. That on its own is a pretty big deal, but it also has additional complexities as well. It can lead to non-synergistic countermeasures and controls – for example, if a control is selected to mitigate a business risk but that brings about additional security challenges.
The point is, it can be advantageous to ensure that cyber security efforts operate in tandem with the rest of the risk management of the organisation as a whole. But for those organisations that have not embraced ERM, how can this happen? There are a few ways to get the ball rolling. We have outlined several steps below, however it is important to note that these are not the only steps. Indeed, there are as many ways to do this as there are organisations themselves. The options below have been chosen specifically because they require no budget to do, and they remain useful regardless of whether or not the organisation ultimately chooses to establish a more formalised ERM methodology.
Establish a forum. You’d be surprised how often there is a dearth of communication between security teams and other risk management functions. This isn’t (usually) purposeful; instead, risk management is by its very nature an ‘interrupt driven’ activity. Meaning that putting out the fires of the day can sometimes overshadow interdepartmental communication. One way to combat this is to establish a standing communications channel. A periodic roundtable-style forum for the discussion of issues, sharing ideas, and so forth can have tremendous value. Even if more frequent meetings are not practicable, even annual or biannual meetings can be enough to build relationships that would not necessarily develop on their own accord.
Bi-directional reporting, upward visibility. It can also be helpful to establish a bi-directional process for reporting risk status – as well as ongoing mitigation and assessment efforts – between teams. There could be potential opportunities to work together or to combine efforts to minimise business disruption. As you do this, put some thought into how teams will communicate status and issues upward so that the board – and executive teams – have a consistent and thorough visibility into risk.
Establish ownership. Sometimes there can be areas where responsibilities overlap. For example, in the case of M&A activity, both the business risk and the technical risk of a potential acquisition target may need to be evaluated. In this case, both the technical security organisation, as well as business risk evaluation teams, may be involved. Explicit discussion of tasks and responsibilities (i.e., which organisation will do what) can be hugely beneficial to ensuring appropriate coverage and that no areas fall between the cracks.
Share a risk register. Whether or not the organisation already uses a risk register approach, developing a shared risk register – i.e., one that is kept current and includes both technical as well as business risk areas – can be hugely beneficial. A central tracking mechanism means that each organisation has visibility into all risks regardless of type of risk. This can lead to the opportunity for more efficient control selection (i.e., selection of countermeasures that mitigate multiple risks at once), it can help facilitate better upward reporting (and thereby better and more accurate visibility to the board and executive teams), and can assist in compliance efforts by helping to document due diligence activities – i.e., by documenting actions taken in response to specific risk areas.
Standardise vocabulary, risk appetite. Of course, it goes without saying that having a common vocabulary between teams can lead to greater effectiveness. Often, technical risk efforts struggle to fully understand business impact of risks – and likewise sometimes business risk teams may not fully understand how technology can compound threats or serve as a possible countermeasure or mitigation for others. Both the communication pathways established above and establishing a consistent vocabulary in how risks are assessed and tracked can serve to help make both areas stronger and shore up these areas. Likewise, establishing a consistent understanding of risk appetite can provide benefit for this as well.
Ed Moyle is the director of emerging business and technology at ISACA. He can be contacted on +1 (847) 660 5549 or by email: firstname.lastname@example.org.
© Financier Worldwide