Enterprise Risk Management For IT Security

A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.

The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.

In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.

Comments

Aligning IT Risk and ERM Objectives

Great report Chris, I often speak to CIOs and CROs who are increasingly integrating their IT risk programs with their overall ERM program in an effort to operationalize an effective and sustainable IT Risk program that is aligned with business objectives and goals.

I think the process of IT

I think the process of IT Security Threat and Risk Assessment (TRA) and Certification and Accreditation (C&A) needs to be baselined and automated to ensure sound governance, risk management and compliance across the organisation's IT operating environment. There are various methodologies, and guidelines as well as open source and commercial software available for organisations to easily adopt, operate and manage. Examples include, NIST SP800-39, CSEC/RCMP Harmonized TRA Methodology, OCTAVE, PolicyDoc SMART, Dynetics Cyber Security C&A software, etc.

BUT...

This, alone, will not enable senior management to make informed risk-based decisions, which is vital to Enterprise Risk Management (ERM). More specifically, commitment of funding and resources to sustain and improve the organisation's IT security program. Why? Because most often these [IT Security] outputs are written in IT speak vice business speak, which causes confusion and often results in sidestepping IT security for competing priorities that are more easily digested and supported. Thereby perpetuating the whole "IT security is an IT issue and NOT a corporate issue" mantra.

That being said, I think, introducing ERM to IT Security and Risk Management might be better accepted if the IT Security Program is first introduced to the organisation; and aligned with corporate strategies and business processes.

From there, IT security related threats to the organisation should be fed into ERM to help create senior management awareness of what business programs and services are facing on a daily basis. In doing so, the quantitative value of the IT Security Program to the organisation is demonstrated. At that point, IT Security TRA and C&A investments become a much easier sell since senior management can appreciate and understand of the real value to business programs and services. In my view, this will get a CISO much further ahead than constantly crying to senior management about risks to IT systems and data, which never seem materialize --perhaps because of the lack of funding and resources needed to implement adequate detection controls and monitor them on a routine basis.

Converging IT and Enterprise Risk

The comment in the last post is an interesting one: "introducing ERM to IT Security and Risk Management might be better accepted if the IT Security Program is first introduced to the organisation."

From the work I have done with clients, IT security can certainly get some "introduction" into the business if senior management highlights the importance of key IT security issues (privacy, IP protection, business continuity, etc.) but the bulk of the work has to be bottom-up.

If the head of IT security cannot articulate the most significant risks and give some indication of their impact on the business, then it doesn't matter if they have the visibility they need. They will still struggle to justify budget increases or gain broader participation from the rest of the organization.