Archive for December, 2009|Monthly archive page
Operationalize Risk Management
Filed under: Best Practice, Industry | Tags: Automation, compliance, control automation, enterprise risk, ERM, Framework, IT risk
Leave a Comment 
Pravin Kothari
The last topic of discussion at the Accenture CISO Roundtable was “Operationalize Risk Management”. If you recall, we started the session with Bob West of Echelon One discussing the need for CISO to speak about and measure risk. Then Scott Charbo of Accenture discussed what risks to measure and how to measure them. Mark Lockareff of Agiliance then discussed how do you operationalize these measurements and how technologies can help. Here are some of the key discussion points.
When the analyst community coined the term “GRC” a few years back, they positioned the 3 terms in order of theoretical maturity level. In theory, an organization should figure out how it wants to run its business and operations (Governance), then figure out how to manage risks they face that may prevent it from running its business, then figure out how to assess and report for compliance requirements. This is a maturity model that is perfectly logical, but very difficult to achieve given real world constraints. Given most organizations are on-going operations and must “keep the lights on”, compliance became priority number one. Compliance is relatively the most well understood requirement and the consequence for non-compliance is clear cut. By now most organizations have significant investments in various aspects of compliance, in terms of people, processes, and technologies. Most big organizations are becoming “compliant” and have matured to a point of wanting to fill out the rest of the GRC functions, namely Risk and Governance . Risk is the natural next step since it is better understood and more measurable than governance. So, the real-world maturity model is really “CRG”. Not the way things should be, but it is the way things are.
The next logical questions is how does an organization that has invested heavily in compliance, make the transition to proactive risk management? Can an organization leverage its compliance investments for its risk management initiative? Where are the gaps and what are the next steps?
Organizations that have invested in compliance programs have usually defined set of controls and testing procedures. Most organizations have also invested in some control technologies, such as vulnerability scanners, data leakage prevention, identity management, segregation of duties, log monitoring, etc. The good news is that these control points are some of the same ones required to gauge risk for security, operations, disaster recovery and so on. The fact that controls have already been defined and being tested and enforced is a great start. The issue is that the testing and reporting on these controls are generally done with manual audit processes, involving lots and lots of spreadsheets and processes that are error -prone. As risk is inherently real-time, risks do not cease to exist in-between the audit cycles. So in order to leverage control investments for risk management, an organization needs to be able to make control assessment and reporting near real-time and continuous. To move from a compliance centric GRC program to a risk centric GRC program, an organization needs to invest in automation for control assessment and reporting as well as new processes for risk management.
New automated and integrated GRC solutions leverage existing control technology investments and elegantly combine automated data from the environment and deployed controls with the information from operational controls, audit processes and mapped risk models. By such integration, GRC solution can enables continuous risk and compliance management.
The key to success for most IT projects is to roll out incrementally and achieve realistic goals with clearly demonstrable business benefits at each phase. GRC automation projects are no exceptions. There is no need to boil the ocean or throw the baby out with the bath water. Build on existing investments and processes – is the key to move up the “CRG” maturity cycle.
This will probably be my last post for the year. So happy holidays and a very happy new year to my fellow GRC professionals.
Manage Risk by Measuring “Flow”
Filed under: Best Practice, Industry | Tags: Risk Management, Security
Leave a Comment Pravin Kothari
Last blog I summarized some of the key points from Bob West’s session at the Accenture and Agiliance’s CISO Roundtable. Bob made the point that it is critical for CISO to speak about and measure risk. The natural follow up questions is then what risks do you measure and how to measure them? Scott Charbo, Vice President at Accenture and former CIO of Department of Homeland Security, presented and discussed that topic. Here are some of key insightful points I would like to share from that discussion.
Risks exist in every part of the business. Security risk is one type of risk. Other risks include privacy risk, compliance risk, credit risk, environmental risk, disaster risk, third-party risk, and much more. CISO organization has traditionally dealt with information security risks, especially around threat and vulnerability and access management. These are topics that traditionally reside exclusively within the security function and the CISO has control over it. While some organizations are more mature than others, implementing proper technologies and processes, and translating these threats into some type of risk metrics is something most CISOs are very capable of addressing. What is increasingly evident is the challenge of security risk emerging from other part of the enterprise that the CISO’s organization does not have control of, and in a lot of cases, not even have the awareness of or visibility to. These risks are now growing exponentially because introduction of new consumer and enterprise technologies. Scott’s presentation was titled “An Expanded Security Ecology With Outcomes In Mind”. Scott introduced some interesting concepts about what risks to measure, how and where to measure them, in order to optimize the deployment of precious security resources.
The dynamics within an organization is all based on “flow”: the flows of information, processes, services, and data on our networks. Today businesses are already managing the availability of these flows. From IT’s perspective, the focus has traditionally be on how many 9’s are required in availability and how do we maintain that availability. From security’s perspective, it has been about managing the security of those flows. Traditionally the CISO organization has deployed various tools like IDS, IPS, Content Filtering, SIEM and now DLP to help secure these flows. Risk reports from these tools and data points do not take into account risk factors from policy, processes and other operations. Still the focus has been on monitoring the data points IT knows about and has controls over, namely IT infrastructure and endpoints.
When a bad thing happens and disrupts the flows, whether it’s breaches, outages, etc, then often some new exposure in the broader flow is identified. These new previously unknown risks that organizations uncover can often be traced back to sources outside of the IT organization. Management of flows across departmental boundaries tend to be by policy, manual processes for compliance, service levels, etc. To gain control over certain risks, CISO must expand the focus to the broader organization and put the right controls in other business processes such as architecture, operations, policy and compliance, acquisition, and budget. Too often CISO just resort to implementing compensating controls within IT to protect from risk originated from outside of IT, which are often costly and imperfect. By measuring and managing the risks of broader flows across departments, CISO can better control some of these emerging risks and even prevent some yet unknown risks.
Here are a few examples to illustrate the point:
- To control risk of privilege user access, it may be necessary to monitor the process flow between human resources and data center operations. Accounts may not be reset or removed when a DBA changes job or leaves the company.
- Risk metric should take into account, not only information security, but also policy compliance, process checks, physical security, business value, etc.
- Risk should be assessed as a system or project flows from RFI to procurement to deployment, not only for production, for its budget risk, 3rd-party risk, IT architecture risk, policy compliance risk, security risk, etc.
Successful CISO who can keep up with the growing risk challenges must think outside of the box that is IT and start thinking in terms of the broader security ecology within the enterprise.
How Effective Are Your Policies?
Filed under: Best Practice, Industry | Tags: policy, privacy
Leave a Comment Pravin Kothari
It’s all over the news now that the Supreme Court has agreed to hear a case on employee privacy, specifically regarding the ownership of electronic communications (email, text) generated using company issued computers and cell phones. Needless to say that whatever ruling comes out of this case will have profound impact on privacy rights within the US. What also intrigues me about this case is the effectiveness of policies in an organization. According to the news, Ontario Police Department claims that the department’s privacy policy is very clear on this matter. Now, what do you think is the chance that this policy officer has read that privacy policy, let along have understood its impact on him? How many officers in that policy department do you think have actually read the privacy policy? The answer is probably a very very small percentage. Now think about your organization, do you think your company is doing any better? Do you know what your company’s privacy policy is and how it impacts you? Chances are you don’t. Unfortunately most companies treat policy as a paper exercise. Companies put a lot of effort into writing, reviewing and approving policies, then the effort to socialize and enforce those policies take a steep dive. Most companies just send out an email or a casual reminder to all employees once a year. A few more companies request employees to attest to the fact they read it and also make on-line training available. Few actually attempt to measure comprehension and compliance to those policies. Policies are basically controls. You can define all the controls you want, but if you don’t enforce them and measure their effectiveness, then it is just a paper exercise to give you a false sense of warm and fuzzy. As we welcome 2010 and a new age of privacy enforcement in the US, do you know where your policy program stands?
Who Is Responsible For Patient’s Privacy?
Filed under: Industry | Tags: Industry, Personal Identifiable Information, policy, privacy
Leave a Comment Pravin Kothari
Here is an interesting article from The Christian Science Monitor examining 5 very important paragraphs in the new Senate healthcare bill. The proposed bill allows the government to access all electronic medical records in the name of research without patient’s consent. One of the article’s conclusions is that “Congress needs to pass a strong, ethical patient consent law that ensures patients have control over the flow of their personal health information.” Without such mandatory protection from the government, the responsibility of privacy protection will then reside with the care delivery organizations. Whether required by law or not, “trust is a must for ensuring quality healthcare” as stated in the article. Care delivery organizations must stand on the side of their patients and put in the necessary privacy protection measures. On the flip side, if the care delivery organizations are not required to protect patient’s privacy, is that responsibility now passed onto the Government as the data aggregator, or is it passed on to any research institution who access that database? Somebody needs to take the responsibility before all our beloved public official’s medical records get posted on the Internet for everyone to see 
Bridging The Conversation Gap
Pravin Kothari
Accenture and Agiliance’s CISO Roundtable event had some very interesting discussions and presentations. Bob West, CEO of Echelon One and former CISO at Fifth Third Bank led a discussion about how to bridge the conversation gap between CISO and the other CxO. Here are some of the key points presented and discussed:
CISOs typically have their own vocabulary which doesn’t translate well when speaking with other members of the executive team. CISOs talks in terms of protection of assets and data, prevention, confidentiality, integrity and availability. CEOs and CFOs talk about business value and how their investments relate to top and bottom line growth. The result of this language gap is that most CEOs and CFOs do not fully appreciate the work of the security organization and value of security technology investments. Security is almost always viewed as a cost center. Since the value of security is not clearly understood by the board, CISO’s budget is traditionally a small portion of the CIO’s spent.
For CISOs to be effective in their roles, they need to translate security speak into business speak. This means security must be framed into the two things that business understands and measures: performance vs. risk. A similar role for a CISO to model after is that of the General Counsel. Just like the General Council advises the board on legal risks and enable the business to pursue projects with legal coverage, CISO needs to come to the table as business partners and counsel the business on what security risks are acceptable and how that trades off against performance. This means CISOs must be able to measure and present security investments in terms of risk. Emerging IT GRC solutions should be considered to bridge this gap.
All other parts of an organization are measured on their performance, yet CISO and the security organization for the most part still behave as if security is black magic. A question was posed to the CISOs in attendance on how do they decide on:
- What security technology to invest in?
- How to compare competing technology alternatives?
- How much security is required and how much is enough?
The unanimous response was the CISO relied on their technical team’s qualitative justifications. Measurements such as risk are rarely used to quantify the benefit of the security investment. The participants also reluctantly agreed that this lack of quantitative measurement also leads to “fad driven” purchases, where the trendiness of a new technology and the technical team’s enthusiasm for that new technology often have too much contribution in the decision process. Pick any point in time in the last 20 years, there is always a cool new technology of the moment that is the best thing since sliced bread.
Mature security organizations need to have clear metrics to help the executive team understand whether they are performing effectively or not. Business is about the tradeoff between performance and risk, the security profession should be no exception. Any security technology investment either has to reduce risks or improve the performance of the organization. Otherwise, the organization should have no reason to invest in that technology. Once a CISO can quantity what the security team does and how security investments translates into risk reduction or performance improvement, then the CISO’s team is no longer viewed as a simple cost center.
Of course this is not a trivial task and few CISOs have done this successfully. Fortunately one of the CISOs in attendance, an Agiliance customer, has actually been able to achieve this and shared his story with the group. This CISO is from a defense contractor that operates communication infrastructure for multiple branches of the military. This CISO has deployed Agiliance IT GRC technology to measure the risk and compliance (to contract terms) level of their outsource operations. Today he presents regular reports and is in the process of providing real-time risk and compliance dashboards to his clients at the Department of Defense. The contractor is now actively selling this real-time risk and compliance capabilities as a differentiator when they bid on additional military contracts. The real time visibility of risk is of great value to the DoD organizations and have been instrumental in landing large contracts. This is a great case study of how a CISO has successfully articulated and positioned security and GRC technologies as a business enabler that helps to increase revenue performance and reduce revenue risk.
