Risk Management and Business Context

This week I attended the RSA Security Analytics Summit in Washington D.C. and had the incredible opportunity to meet one of the smartest individuals to date. Nate Silver was the keynote and he covered a lot of ground including 1) an analogy of the proliferation of information via the printing press in 1440 and the most recently the world wide web in 1990; 2) The End of Theory: The Data Deluge Making the Scientific Method Obsolete; 3) The 538 method and lessons from the 2012 elections; 4) the influence of bias in big data 5) the “Signal-to-Noise” ratio which results in increased variables that occur along with the need for a true distribution model to enable trend effective trend analysis; 6) the limitation of technology in some cases where technology was deemed more powerful and a better predictor than the human brain and 7) the use of mathematics to help with predictive modeling. As you can see from the list of topics the presentation was truly engaging and thought provoking.

Signal To Noise Ratio_opt

Towards the end of the presentation Nate Silver provided a suggested approach that not only solidified his presentation but provided actionable guidance in how to better use data as a predictor. The suggested approach is as follows:

1) Think Probabilistically
2) Know Where You’re Coming From
3) Survey the Data Landscape
4) Try, and Err

When given the above guidance, which is clearly outlined in his book The Signal and the Noise, I instantly was able to relate to point number 2….”know where you are coming from” to risk management. The reason why it resonated with me so much is that I am a communications major and studied countless hours both in theory and practice on intra/inter personal relationships. As I work with organizations and listen to the different approaches to risk management using predictive analysis I find people in the risk management profession often overlook the power of knowing where people or in this case risks are coming from within the organization. Risks to financial data or healthcare records are different from risks to a conference room portal application. People must apply common sense to sophisticated models of risk analysis. The only way to get common sense is to drive context into the relationship of the risk to the expected results or impact to the business.

The need for context (common sense) has never been greater. As you look to drive your risk management or even security practices within our organization you must have all four elements in place not just 1, 3 and 4. Context of the risk will empower you to respond in a logical, appropriate, timely and effective manner. Context will also enable you to ensure the people, departments, divisions understand the impact to their world and can also enables the conversations you need to have executive leadership for relational visibility into the risks that truly impact the their world. Without context you will provide less meaningful data and increase the risk exposure to your organization.

In closing I recommend reading Nate Silver’s book The Signal and The Noise and look forward to seeing how all of you apply his astute suggested approach.

S2N Book

Shire Pharmaceuticals Drives Into the Future of Healthcare

Some would say that there is nothing more gratifying than helping people in need. In the case of Shire Pharmaceuticals, helping people with life-altering conditions to lead better lives is core to their business and their culture. Based nearby in Lexington, Massachusetts, Shire focuses on developing treatments for conditions in neuroscience, rare diseases, gastrointestinal, internal medicine and regenerative medicine. The need to stay on the cutting edge of healthcare is paramount to the organization and information security has played a key role in that mission.

Shire’s Senior Director of Information Risk Management & Security, Bob Litterer, came to the company tasked with developing a world class information security function aligned to their business goals. Like so many CISOs today, Bob knew the importance of information security as a business enabler, but needed to drive awareness and create a security culture that embraced their business. In his words, “we didn’t want perform security for security’s sake”. He was also tasked with reducing costs associated with changing compliance requirements, drive-up efficiency, and managing acceptable risk tolerances so the organization could continue to innovate and stay competitive. Quite a tall order when there is so much on the line.

Like any good leader, Bob knew he needed a great team behind him – so he brought in one of our alliance partners OpenSky who helped build a comprehensive Governance, Risk and Compliance (GRC) platform based on RSA Archer.

As you heard from Peter Ridgley, Lead Consultant from OpenSky, explain in the video, Shire was able to quickly spotlight where there was a need for improvement as well as areas where they were successfully hitting the mark. The visibility through RSA Archer allows Shire to do a drill down review of each area to determine how they can improve driving credibility into the management of the program as well as demonstrates its depth.

Additionally, Shire is now able to continue that assessment on a regular basis to report progress, showcase how the information security organization is aligned with the goals of the business, and ensure they are always able to meet changing business needs and compliance requirements.

While this project is impressive in and of itself I am happy to share with you that Shire has earned an important industry accolade as well. Just last week, the company was awarded the OCEG GRC Achievement Award at the 2013 Compliance Week Conference which recognizes organizations that make great strides in improving and integrating their approaches to governance, risk management and compliance. Working with OpenSky, Shire leveraged the OCEG Redbook to provide a framework for managing the GRC Program and it has been paying off in spades. Thanks to the dedication of Shire and OpenSky as well as the power of RSA Archer, Shire gets to take home this honor and we couldn’t be happier.

Leading GRC Platform Used as a CIO Dashboard

During this year’s EMC World in Las Vegas the leading GRC platform was presented during a record attended keynote with Jeremy Burton and Jason Rader who shared GRC from the perspective of a CIO.

This example is one of many use cases that a GRC platform can enable executives to have a clear “real-time” picture of their risk posture.

Heat maps: not quite so hot anymore?

On the face of it, a colorful heat map looks like a great way of visualizing the risks that could affect an enterprise. They’re easy to produce from spreadsheet data and they provide a simple view of the potential impact and likelihood of a range of risks, that can be used to help raise awareness of risk generally and to communicate the risk assessment to senior management.

So what’s wrong with heat maps? Why are security professionals cooling in their attitude towards them?

Because, as I’ve said before, the two-dimensional view of risks based on severity and likelihood are no longer enough.

Risk Heat Map
Old School Risk Heat Map

Enterprises need to go far beyond the focus on inherent and residual risks that’s typical of a heat map and incorporate more dimensions, including assets, threats, vulnerabilities and controls. They want to look at risk relationships and mitigation tracking, with an approach to risk analysis that enables a quantitative assessment of all risks to all parts of the enterprise.

Although risk management information systems (RMIS), enterprise risk management (ERM), business continuity planning and crisis response are all specialized areas in their own right, the lines between them are starting to blur as the realization dawns that these management areas are all fundamental to an enterprise’s ability to survive and thrive.

A spreadsheet-driven approach is simply no longer up to the increasingly complex risk analysis job—and can even become a risk in itself. As Chris Duncan puts it, it’s like being armed with only a rock in the middle of a gunfight: you soon realize you need a lot more firepower.

So what’s the answer?

Heat maps can’t give you a rounded view of risks. Good risk management involves taking external and internal perspectives and modeling risk in relational diagrams, decision trees, heat maps, or even quantitative models involving at-risk simulations. So heat maps are one view but they’re not THE view.

Think about the difference between the Google Maps ‘Map View’, ‘Satellite View’ and ‘Street View’. It’s Street View that will give you the most comprehensive view of the location you’re searching for, letting you pan around to see not only the building you’re looking for but also the environment you’ll be entering.

In much the same way, when it comes to risk management, you need to use multi-dimensional models that let you view risk data from different perspectives and enable creation of risk intelligence, so that you can make informed decisions enhanced by risk simulations from quantitative models.

Multi-Demensional Risk Heat Map Cluster

Doing this right also involves combining high performance analytics (HPA) so that, instead of collating the different views on a monthly basis, you can collect, analyze and predict risk outcomes in near-real time. Combining all perspectives in this way means you get a much richer, multidimensional view of risk—and is exactly why using just a heat map is an archaic idea. A possible multidimensional view is represented in the above graph.

In the end it becomes possible to see the effect of each risk on different areas of the enterprise. Each enterprise domain—such as IT, legal, finance, operations—can view each risk and determine, for example, how the domains intersect; whether it’s a geopolitical risk; whether it’s an external or an internal risk; who is responsible; and what the impact on the enterprise will be in financial, reputational or other terms.

RSA Conference Talks Big Data

Image

I just came back from the RSA Conference in San Francisco where I couldn’t turn a corner without someone talking about how Big Data was revolutionizing the security industry. In fact, there was one session that stood out during the conference for me. It was titled “Managing Advanced Security Problems Using Advanced Security Analytics” where Eddie Schwartz, VP and CISO of RSA moderated a panel comprised of four industry analysts including Scott Crawford, Research Director of Enterprise Management Associates; John Kindervag, Senior Analyst at Forrester Research; Neil MacDonald, VP & Gartner Fellow of Gartner and; Jon Oltsik, Senior Principal Analyst from Enterprise Strategy Group.

The panel discussion covered quite a bit of ground including defining what Big Data actually means, the acceptance within security organizations of using big data analytic techniques as well as the prediction of when security professionals will embrace big data analytics and finally how big data can be the answer to the advanced threat problem with it’s incredible scalability and high speed analytics.

Discussion point that I agree with:

1)     Everyone from the moderator to the panel participants acknowledged that the current approach that companies are taking to manage the advanced threat problem fail due to lack of event context and constraints in traditional IT architecture. The panel also pointed out that there are many organizations that are not changing their ways from traditional perimeter based security, anti-virus, etc. due to “what we don’t know won’t hurt us” mentality which leaves the security teams with archaic technology that leaves them with no visibility into the threats that affect their business.

Discussion point that I did not agree with:

1)     Heat maps are a must to provide visualization. This is something I cannot agree with as the notion of a heat map is even to a risk professional becoming obsolete as they only provide a two dimensional view into the risks that could affect the business. They are not multidimensional and only provide areas of risks vs. different views into key risk issues with details.  I have seen organizations phase out heat maps and phase in multidimensional models that provide a way to view risk data from different dimensions so you get a risk portfolio vs. just pretty colors from a heat map. It also should result in creating risk intelligence so organizations can make informed decisions which can and should be enhanced by risk simulations from quantitative models. What was funny was in another meeting right after the session I was handed a “global threat” heat map of the world which showed different threat colors by country on the size of a business card…..which was of no use.

The conclusion to the session did send me away with a good feeling because what I heard was that by using Big Data it solves many things that GRC programs should do which is breakdown information silos, automate the capture of information, normalize/correlate data and organize the information to be able to respond to risks in an organized/prioritized fashion. Sound familiar? I just can’t wait to see the scale of information capture and speed of analytics better enable the “R” in GRC.

What the board of advisors really want from IT

By Alex Bender, Director, eGRC Programs and Strategy, EMC

As many of you know the Gartner Security and Risk Summit was held this week in Washington D.C. at the Gaylord National. The event was excellent with many great sessions/discussions on business continuity, privacy in the enterprise, advanced persistent threats and security in the cloud. One of the best session was held on Wednesday titled: Enterprise and Operational Risk Management: What the Board Wants which was moderated by Dale Kutnick and French Caldwell. In this session there were 4 board members representing different perspectives due to their past experiences as well as the industries they serve. The concept was to provide the members in the audience, comprised mostly of IT professionals, a chance to hear what the board perceives as the value of IT to an organization and the information that IT needs to provide a board to make strategic decisions.  Here are a few highlights as to why I thought the session was so great:

During the session a poll was given to the audience that provided real-time feedback capability via text. There were over 110 people in the audience that responded to the question: What IT risks should be communicated to the board?

The category and results of the poll were very revealing:

  • Data Protection – 30%
  • IT Risk to the Business Strategy – 23%
  • Continuity of Operations – 21%
  • Regulatory Risks – 16%
  • IT Investment – 5%
  • Mobility Risks – 4%

I interpret these results in a variety of ways. The most obvious is that the fact that data protection topped the list is due to the numerous privacy issues that have dominated the world over the last several years and that IT thinks too much about ……. well IT. Shocker right? The conversation that ensued was that the board didn’t think that data protection was the top issue. They wanted to know about IT risk to the business. In fact one of the board members stated “is our data backed up and protected? Great…that is your job and that is all I need to know.” They also mentioned how IT wants to talk speeds and feeds about how they protect data and the board could essentially care less. All the board wanted to hear was how IT protected data to keep the name out of the headlines which brings me to the following two additional observations which are…

  1. IT Wants to Talk about the Complexities of Their Job vs. Providing Business Context: One of the board members stated they don’t care about the complex nature of how data are stored, the technology behind securing the data and what the day-to-day tasks are in IT. There is a huge language barrier at play and it has existed over the last 11 years that I have been in security, risk and compliance industry which is we always want to make things so complex/complicated. IT leaders need to put their responsibilities and organizational efforts in simple terms that mean something to the business decision process. The organizations that address the language barriers between IT and the business are starting to be the most successful in their approach to solving real problems for the business.
  2. Top Down vs. Bottoms Up Approach: Organizations as a whole that take a top down approach to driving awareness in the organization on security, risk and compliance issues are the ones that struggle the most. A bottom up approach is needed. If everyone in the organization embraces and understands the risks then the company as a whole will be able to manage, mitigate and preempt risks more efficiently. In many cases avoid major risks all together. This is where an extremely powerful training and awareness program can make or break a security, risk and compliance program. Also when you couple the training program with a simple yet effective communication program you can gain critical mass with your most valuable assets….your people.

I recommend to everyone in IT to seek out all the material you can on what a board wants to hear about and how to understand the value that IT brings in business terms. Also, know how your organization can work with the leaders in business to deliver against the broad set of corporate objectives and not think so much about the complexities of IT. Because if you align IT to the broader set of strategic objectives that are important to the enterprise and communicate the value and risks effectively you are actually delivering what your boss and the board really wants.  I also recommend the board of advisors for all companies start learning more about the value IT can bring vs. thinking “it is too technical”. You are supposed to be a smart set of individuals and want to ensure shareholder value is increasing. By learning more about technology and what IT is doing to support the business you will fund it appropriately and appreciate that part of the business a lot more that you do today.

Recommended Reading:

Bridging the CISO-CEO Divide

Ponemon Institute Research – The Role of Governance, Risk Management & Compliance in Organizations

‘I didn’t see you!’ or, why visibility and control are vital to eGRC

By Alex Bender, Director, eGRC Programs and Strategy, EMC

The other day I saw a car accident. It made me think back to an accident I had years ago, which involved a car appearing so fast I didn’t see it until we were about to collide. The only thing I could do was to swerve wildly to avoid the collision, thereby losing control of my car and crashing — but at least not into the other car.

Thinking back to that accident and the aftermath — the hours spent on a litany of phone calls to my insurance company, getting repair quotes, getting the car to the garage, making alternative arrangements while I was without my car — I couldn’t help but think about the importance of visibility and control in business, as much as in life. The impacts of the lack of visibility and control are extremely apparent in the car accident example – life changing.

See more, act faster, spend less

When you have visibility you can see where you’re headed and plan appropriately to get there. When you have control you don’t have to just react wildly to changes in your environment; you can act with efficient deliberation to avoid situations that are harmful to your organization.

Lack of visibility and control, conversely, can result in a car crash for your organization; and the crash itself is just the beginning of the toll taken on time and resources. If, despite your best efforts, you’ve been unable to avoid an incident, then visibility and control play a vital role in helping you to respond effectively to the aftermath: to minimize the time and money spent identifying what went wrong, fixing the problem and dealing with the legal, operational and financial fallout.

Requirements for visibility and control

In a previous ‘two-part’ blog I wrote about the importance of collaboration across departments for effective eGRC. Well, visibility and control are the fundamental enablers of effective collaboration. So the question becomes: how do you achieve them? You can’t just wave a magic wand. Organizations of all sizes and types are struggling with eGRC issues precisely because they don’t have the visibility and control they need.

I think that for any strategy, approach or tool to give you eGRC visibility and control, it needs to have three attributes:

  • Integration. As long as information relating to eGRC is held in disparate and disconnected systems or dealt with through disconnected processes (probably using ad-hoc tools, excel spreadsheets, word docs and many times just quick conversations), you can never get a clear view of what you know, what you’ve don’t know, what’s happening and how it all relates. Conversely, if you can bring everything together in one place, not just as a central dumping ground but in a way that lets you connect it in meaningful ways, then you’re most of the way to having the visibility you need — to be proactive, rather than always firefighting, and to see the big picture that lets you take a strategic approach to solve your business needs.
  • Automation. One of the difficulties in achieving integration and in dealing with the results is that there’s just so much to integrate and manage in a manual way. Too much to have a hope of doing it effectively without technological help. With the best will in the world, spreadsheets won’t cut it. Manually pulling data from hundreds and or thousands of systems won’t cut it.

To avoid being swamped by information and actions, to be able to act and respond in a controlled way, you need tools that will help you up the eGRC learning curve and that will automate processes wherever possible. But you do not want to automate a bad process since that will just make bad things happen efficiently. Sometimes it is important to revamp a process while you are implementing your eGRC solutions and strategy. Questions to ask yourself are:  Do you have to respond to each new policy or regulatory requirement from scratch or do you have access to eGRC content that prevents you from having to continually reinvent the wheel? Do your processes depend on someone remembering to email someone else or do you have workflow management tools that automatically enforce standard processes? It’s obvious which answers suggest an organization more in control of eGRC.

  • Usability. However integrated and automated your eGRC efforts are, it will be of little avail if it’s too hard for people, especially non-experts in eGRC, to understand what’s going on or what they need to do. Usability is a critical requirement because visibility is only valuable if people understand what they’re seeing; and control is only valuable if people are willing to pick up the ball and do something useful with it. So you want the flexibility to be able to adapt automated processes to fit the way you work; you want to be able to present information to busy executives in ways that they understand; you want to make it easy for people to collaborate, not put them off with impenetrable technology.

When you’re looking at approaches to eGRC and assessing tools that might help you develop eGRC strategies and processes, keep these criteria in mind.

Recommended Reading:

OCEG – Red Book 2.0 (GRC Capability Model)