Information Security in Context: The CISO as a Transformational Role in Risk Management

Information Security at the Center of Risk Chaos

Inevitable Failure: Managing Information Risk in a Silo

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.

The dynamic, distributed, and disrupted nature of business is particularly challenging to information risk management. It is like the hydra in mythology: the organization combats risk only to find more risk springing up to threaten it. As an organization expands operations and business relationships (e.g., vendors, outsourcers, service providers, consultants, and staffing) it’s risk profile grows exponentially because of the interconnected multifaceted risk environment. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Managing information security and other risk activities in disconnected silos leads the organization to inevitable failure. Information risk has a compounding and exponential impact on the business. Business operates in a world of chaos. Risk exposure is an intricate web of risk and vulnerability interrelationship that interweaves through departments, functions, processes, technologies, roles, and relationships. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wing creates tiny changes in atmosphere that ultimately impacts the development and path of a hurricane. What may seem as an insignificant IT or information risk in one area of the organization can have profound impact on other risks.  Information security is at the center of the organizations most significant risk and compliance issues and has become a critical and interrelated business challenge that transcends just the IT department.

When the organization approaches information risk as a silo disconnected from other enterprise risk areas that do not collaborate with each other there is no possibility to be intelligent about risk decisions that could impact business strategy and operations. Siloed initiatives never see the big picture and fail to put information security in the context of organization strategy, objectives, and performance; resulting in complexity, redundancy, and failure. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization. A nonintegrated approach to risk management with information risk as a foundation impacts business performance and how it is managed and executed, resulting in:

  • Redundant and inefficient processes. Organizations take a Band-Aid approach and manage risk in disconnected silos instead of seeing the big picture of risk, and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility. The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent risk systems: projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach with siloed initiatives results in an organization that never sees the big picture. It ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk assessments asking the same questions in different formats. The result is poor visibility across the organization and its environment.
  • Overwhelming complexity. Varying risk frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently: introducing more points of failure, gaps, and unacceptable risk. Inconsistent risk management not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A disconnected risk management strategy handicaps the organization as it manages systems and processes encumbered with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This is exacerbated by documents, point technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes, and disconnected data organized without any sense of consistency or logic.
  • Greater exposure and vulnerability. The result, the organization does not see risk holistically. The focus is on what is immediately before each department and not getting a handle on the complex relationship and interdependencies of information risk intersecting with other risks. This creates gaps that cripple risk management, and an organization that is ill-equipped for aligning risk management to the business.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.

Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

The Bottom Line: Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. Given the pervasive use of information and technology across the organization, it is a natural path for information security to step up to lead enterprise risk management strategies. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, and data) and externally (e.g., threat, competitive, legal, and geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

GRC 20/20 Related Resources on this topic are . . .

IT GRC Management by Design, New York

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

September 13th in New York, NY USA

[button link=”http://grc2020.com/event/it-grc-management-by-design-workshop-chicago/”]REGISTER[/button]

IT GRC > IT Security

If you have been following my research over the course of the past 15 years you will know that I have often been frustrated when IT GRC has been understood to be confined to IT security management. In fact, you can find some of my Forrester reports (2001 to 2007) that often challenge the captivity of IT GRC by security.

IT Governance, IT Risk Management, and IT Compliance are broader than security. Yes, security is one of the most critical risks in IT departments and to the business. I am not minimizing IT security; it needs to be addressed.  However, this gives no right for IT security management solutions that do IT security governance, IT security risk management, and IT security compliance to hold IT GRC hostage.

Consider . . .

  • IT Governance. IT governance is the reliably achievement of objectives of IT, whose objectives should be aligned with the business. IT has many objectives that go well beyond security of IT systems and information. If IT governance is only about security, then we might as well give the CIO and CTO job to the CISO. Governance of security is important, but IT meeting business needs and objectives today and into the future is even more critical. IT governance is centered on the performance of IT and alignment of IT to meet business needs. Security comes in and after this context.
  • IT Risk Management. Some of the greatest risks in IT are security. But there are a range of other risks that are critical as well: IT service delivery risk, risk in IT operations, IT project risk, IT planning and staffing risks, disaster recovery and business continuity, and more.
  • IT Compliance. I will not argue, some of the greatest IT compliance challenges are about security (anyone dealing with PCI DSS and other compliance obligations knows this). The point still is that IT compliance goes beyond IT security. Consider web accessibility to requirements in ADA compliance (Americans With Disabilities Act).

What is frustrating to me is that 95% of the RFPs I assist with, or inquiries from organizations looking for solutions (between 5 and 10 a week), that I answer believe that IT GRC is synonymous to IT security management.

To put it in a formula:

IT GRC ≠ Security Management

IT GRC > Security Management

What is encouraging in the past 12 months is that I have seen several RFPs I have assisted in writing that are taking a broader understanding of IT GRC, and this is supported by growing inquiries from organizations asking me questions about solutions with broader IT GRC capabilities.

IT departments need a 360° contextual awareness of security in IT, but they also need a 360° contextual awareness of a broader understanding of IT governance, IT risk management, and IT compliance management.

As for the market, my definition of IT GRC remains broader than IT security management. There are solutions that deliver on a broader vision of IT GRC, some more than others. As a sub-segment of IT GRC are solutions with capabilities that focus primarily on vulnerability discovery and remediation to IT assets and measuring risk and compliance in a security context.

On October 19th, I will be presenting the next GRC 20/20 Research Briefing, 2015: How to Purchase IT GRC Platforms. This Research Briefing is aimed at defining a framework for purchasing IT GRC solutions, whether focused on IT security management or more broadly on IT GRC management.

The goal is to provide buyers of IT GRC solutions an understanding of different types of IT GRC solutions that have a broad or narrow focus, give them a decision tree to help them define what they need, present critical capabilities needed in an IT GRC platform, and offer advice related to IT GRC and security management RFPs and evaluations.

If you are frustrated with your current IT GRC implementation or looking to purchase an IT GRC solution, then I encourage you to register and attend this Research Briefing (or watch the recording).

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-it-grc-platforms/” color=”default”]REGISTER:How to Purchase IT GRC Platforms[/button]

NOTE: for clarity, I am an advocate of IT security and if your focus is on IT security management in context of IT GRC there are many great solutions that deliver this, I am just stating this is a sub-segment of IT GRC.