This week I attended the RSA Security Analytics Summit in Washington D.C. and had the incredible opportunity to meet one of the smartest individuals to date. Nate Silver was the keynote and he covered a lot of ground including 1) an analogy of the proliferation of information via the printing press in 1440 and the most recently the world wide web in 1990; 2) The End of Theory: The Data Deluge Making the Scientific Method Obsolete; 3) The 538 method and lessons from the 2012 elections; 4) the influence of bias in big data 5) the “Signal-to-Noise” ratio which results in increased variables that occur along with the need for a true distribution model to enable trend effective trend analysis; 6) the limitation of technology in some cases where technology was deemed more powerful and a better predictor than the human brain and 7) the use of mathematics to help with predictive modeling. As you can see from the list of topics the presentation was truly engaging and thought provoking.
Towards the end of the presentation Nate Silver provided a suggested approach that not only solidified his presentation but provided actionable guidance in how to better use data as a predictor. The suggested approach is as follows:
1) Think Probabilistically
2) Know Where You’re Coming From
3) Survey the Data Landscape
4) Try, and Err
When given the above guidance, which is clearly outlined in his book The Signal and the Noise, I instantly was able to relate to point number 2….”know where you are coming from” to risk management. The reason why it resonated with me so much is that I am a communications major and studied countless hours both in theory and practice on intra/inter personal relationships. As I work with organizations and listen to the different approaches to risk management using predictive analysis I find people in the risk management profession often overlook the power of knowing where people or in this case risks are coming from within the organization. Risks to financial data or healthcare records are different from risks to a conference room portal application. People must apply common sense to sophisticated models of risk analysis. The only way to get common sense is to drive context into the relationship of the risk to the expected results or impact to the business.
The need for context (common sense) has never been greater. As you look to drive your risk management or even security practices within our organization you must have all four elements in place not just 1, 3 and 4. Context of the risk will empower you to respond in a logical, appropriate, timely and effective manner. Context will also enable you to ensure the people, departments, divisions understand the impact to their world and can also enables the conversations you need to have executive leadership for relational visibility into the risks that truly impact the their world. Without context you will provide less meaningful data and increase the risk exposure to your organization.
In closing I recommend reading Nate Silver’s book The Signal and The Noise and look forward to seeing how all of you apply his astute suggested approach.
During this year’s EMC World in Las Vegas the leading GRC platform was presented during a record attended keynote with Jeremy Burton and Jason Rader who shared GRC from the perspective of a CIO.
This example is one of many use cases that a GRC platform can enable executives to have a clear “real-time” picture of their risk posture.
I am happy to announce that RSA will be hosting the 10th annual RSA Archer GRC Summit in Washington D.C., June 12-14, 2013 at the Omni Shoreham Hotel.
As I have actively helped plan these events since 2006 I am humbled at the continued momentum these events have achieved and is driven by the premier GRC community with over 10,000 active members. The momentum continues this year with a record number of attendees (800+) and an agenda that includes over 35 client led presentations on GRC implementation strategies and best practices, 15 technical breakout sessions on the RSA Archer GRC Platform, over 10 birds of a feather round table discussions and executive collaboration from over 500 global organizations.
In addition to the great line up of content for both technical and business GRC practitioners within the IT, Finance, Operations and Legal domains there will be three outstanding keynotes during the three day event. One of the keynotes that I have had the pleasure to meet and listen to is Bruce Bueno de Mesquita. Bruce is a Silver Professor of Politics, New York University; Senior Fellow, Hoover Institution, Stanford University. Coauthor of The Dictator’s Handbook and author of The Predictioneer’s Game.
Bruce has been on The Daily Show, The Cobert Report and has performed in numerous Ted Talks including a great presentation titled: Predicts Iran’s Future
Why is Bruce Bueno de Mequita the perfect person to keynote at the 2013 RSA Archer GRC Summit? Risk Analytics of course!!
Over his long tenure as a professor and political consultant, Bruce has conferred with experts on all the world’s most pressing issues and fed their knowledge into a vast and highly sophisticated computer model of global affairs.
This combination of wide-ranging expertise and high-power analytics allows him to make strikingly accurate predictions of world events and speak with authority on the
power dynamics of everything from office politics to international summits.
I will continue to provide updates on the most valuable, highly anticipated and attended GRC event in the industry.
Until then…..keep thinking GRC.
I was speaking to a board member of a large investment advisory firm recently about his expectations of the company’s IT security function. He said: “I just need to know that our data is protected, that IT risks are tied back to the business, that we can maintain the continuity of our business operations, and that we can effectively manage our regulatory risks.”
No pressure, then, right!?
The fact is, a lot of senior management teams and boards are getting wise to the fact that they need more closely linked security, risk management and compliance activities. This is why IT security is linked to GRC and their relationship is so important from both a top-down and bottom-up perspective.
Here are some more expectations I’m hearing from C-level executives and board members:
- We want to understand how security events, and our responses to them, tie to our risk profile and remediation efforts at the enterprise level.
- We want to know that our security/IT risk assessments are clearly connected to, and consistent with, our enterprise risk assessment processes.
- We want to understand how security risks are developing so that the future doesn’t take us completely by surprise. And to minimize the chance of a ‘black swan’ event.
- We want to be able to put meaningful metrics against security risks and controls; and define key risk indicators, key compliance indicators, key performance indicators for our security team.
In the end, GRC matters to IT security functions because to meet these expectations you need a level of visibility and control, top-down and bottom-up, that only a sustainable eGRC program can deliver. I’ll take a brief look at what eGRC can mean for IT security in a follow-up blog.
By Alex Bender, Director, eGRC Programs and Strategy, EMC
As many of you know the Gartner Security and Risk Summit was held this week in Washington D.C. at the Gaylord National. The event was excellent with many great sessions/discussions on business continuity, privacy in the enterprise, advanced persistent threats and security in the cloud. One of the best session was held on Wednesday titled: Enterprise and Operational Risk Management: What the Board Wants which was moderated by Dale Kutnick and French Caldwell. In this session there were 4 board members representing different perspectives due to their past experiences as well as the industries they serve. The concept was to provide the members in the audience, comprised mostly of IT professionals, a chance to hear what the board perceives as the value of IT to an organization and the information that IT needs to provide a board to make strategic decisions. Here are a few highlights as to why I thought the session was so great:
During the session a poll was given to the audience that provided real-time feedback capability via text. There were over 110 people in the audience that responded to the question: What IT risks should be communicated to the board?
The category and results of the poll were very revealing:
- Data Protection – 30%
- IT Risk to the Business Strategy – 23%
- Continuity of Operations – 21%
- Regulatory Risks – 16%
- IT Investment – 5%
- Mobility Risks – 4%
I interpret these results in a variety of ways. The most obvious is that the fact that data protection topped the list is due to the numerous privacy issues that have dominated the world over the last several years and that IT thinks too much about ……. well IT. Shocker right? The conversation that ensued was that the board didn’t think that data protection was the top issue. They wanted to know about IT risk to the business. In fact one of the board members stated “is our data backed up and protected? Great…that is your job and that is all I need to know.” They also mentioned how IT wants to talk speeds and feeds about how they protect data and the board could essentially care less. All the board wanted to hear was how IT protected data to keep the name out of the headlines which brings me to the following two additional observations which are…
- IT Wants to Talk about the Complexities of Their Job vs. Providing Business Context: One of the board members stated they don’t care about the complex nature of how data are stored, the technology behind securing the data and what the day-to-day tasks are in IT. There is a huge language barrier at play and it has existed over the last 11 years that I have been in security, risk and compliance industry which is we always want to make things so complex/complicated. IT leaders need to put their responsibilities and organizational efforts in simple terms that mean something to the business decision process. The organizations that address the language barriers between IT and the business are starting to be the most successful in their approach to solving real problems for the business.
- Top Down vs. Bottoms Up Approach: Organizations as a whole that take a top down approach to driving awareness in the organization on security, risk and compliance issues are the ones that struggle the most. A bottom up approach is needed. If everyone in the organization embraces and understands the risks then the company as a whole will be able to manage, mitigate and preempt risks more efficiently. In many cases avoid major risks all together. This is where an extremely powerful training and awareness program can make or break a security, risk and compliance program. Also when you couple the training program with a simple yet effective communication program you can gain critical mass with your most valuable assets….your people.
I recommend to everyone in IT to seek out all the material you can on what a board wants to hear about and how to understand the value that IT brings in business terms. Also, know how your organization can work with the leaders in business to deliver against the broad set of corporate objectives and not think so much about the complexities of IT. Because if you align IT to the broader set of strategic objectives that are important to the enterprise and communicate the value and risks effectively you are actually delivering what your boss and the board really wants. I also recommend the board of advisors for all companies start learning more about the value IT can bring vs. thinking “it is too technical”. You are supposed to be a smart set of individuals and want to ensure shareholder value is increasing. By learning more about technology and what IT is doing to support the business you will fund it appropriately and appreciate that part of the business a lot more that you do today.
Bridging the CISO-CEO Divide
Ponemon Institute Research – The Role of Governance, Risk Management & Compliance in Organizations