Information Security in Context: The CISO as a Transformational Role in Risk Management
Information Security at the Center of Risk Chaos
Inevitable Failure: Managing Information Risk in a Silo
Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.
The dynamic, distributed, and disrupted nature of business is particularly challenging to information risk management. It is like the hydra in mythology: the organization combats risk only to find more risk springing up to threaten it. As an organization expands operations and business relationships (e.g., vendors, outsourcers, service providers, consultants, and staffing) it’s risk profile grows exponentially because of the interconnected multifaceted risk environment. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.
Managing information security and other risk activities in disconnected silos leads the organization to inevitable failure. Information risk has a compounding and exponential impact on the business. Business operates in a world of chaos. Risk exposure is an intricate web of risk and vulnerability interrelationship that interweaves through departments, functions, processes, technologies, roles, and relationships. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wing creates tiny changes in atmosphere that ultimately impacts the development and path of a hurricane. What may seem as an insignificant IT or information risk in one area of the organization can have profound impact on other risks. Information security is at the center of the organizations most significant risk and compliance issues and has become a critical and interrelated business challenge that transcends just the IT department.
When the organization approaches information risk as a silo disconnected from other enterprise risk areas that do not collaborate with each other there is no possibility to be intelligent about risk decisions that could impact business strategy and operations. Siloed initiatives never see the big picture and fail to put information security in the context of organization strategy, objectives, and performance; resulting in complexity, redundancy, and failure. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization. A nonintegrated approach to risk management with information risk as a foundation impacts business performance and how it is managed and executed, resulting in:
- Redundant and inefficient processes. Organizations take a Band-Aid approach and manage risk in disconnected silos instead of seeing the big picture of risk, and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility. The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent risk systems: projects that take time and resources and result in inefficiencies.
- Poor visibility across the enterprise. A reactive approach with siloed initiatives results in an organization that never sees the big picture. It ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk assessments asking the same questions in different formats. The result is poor visibility across the organization and its environment.
- Overwhelming complexity. Varying risk frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently: introducing more points of failure, gaps, and unacceptable risk. Inconsistent risk management not only confuses the organization but also regulators, stakeholders, and business partners.
- Lack of business agility. A disconnected risk management strategy handicaps the organization as it manages systems and processes encumbered with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This is exacerbated by documents, point technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes, and disconnected data organized without any sense of consistency or logic.
- Greater exposure and vulnerability. The result, the organization does not see risk holistically. The focus is on what is immediately before each department and not getting a handle on the complex relationship and interdependencies of information risk intersecting with other risks. This creates gaps that cripple risk management, and an organization that is ill-equipped for aligning risk management to the business.
Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across the business grows. Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.
Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.
The Bottom Line: Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. Given the pervasive use of information and technology across the organization, it is a natural path for information security to step up to lead enterprise risk management strategies. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, and data) and externally (e.g., threat, competitive, legal, and geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.
GRC 20/20 Related Resources on this topic are . . .
- WEBINAR: Information Security: A Risk Management Foundation
- October 6 @ 2:00 pm – 3:00 pm EDT
- WORKSHOP: IT GRC Management by Design Workshop, San Diego
- November 1 @ 8:00 am – 5:00 pm PDT
- PAPER: Information Security in Context: The CISO as a Transformational Role in Risk Management
- RESEARCH BRIEFING: How to Purchase IT GRC Management Solutions
- RFP REQUIREMENTS: GRC 20/20 IT GRC RFP Requirements & Support