Risk Management and Business Context

This week I attended the RSA Security Analytics Summit in Washington D.C. and had the incredible opportunity to meet one of the smartest individuals to date. Nate Silver was the keynote and he covered a lot of ground including 1) an analogy of the proliferation of information via the printing press in 1440 and the most recently the world wide web in 1990; 2) The End of Theory: The Data Deluge Making the Scientific Method Obsolete; 3) The 538 method and lessons from the 2012 elections; 4) the influence of bias in big data 5) the “Signal-to-Noise” ratio which results in increased variables that occur along with the need for a true distribution model to enable trend effective trend analysis; 6) the limitation of technology in some cases where technology was deemed more powerful and a better predictor than the human brain and 7) the use of mathematics to help with predictive modeling. As you can see from the list of topics the presentation was truly engaging and thought provoking.

Signal To Noise Ratio_opt

Towards the end of the presentation Nate Silver provided a suggested approach that not only solidified his presentation but provided actionable guidance in how to better use data as a predictor. The suggested approach is as follows:

1) Think Probabilistically
2) Know Where You’re Coming From
3) Survey the Data Landscape
4) Try, and Err

When given the above guidance, which is clearly outlined in his book The Signal and the Noise, I instantly was able to relate to point number 2….”know where you are coming from” to risk management. The reason why it resonated with me so much is that I am a communications major and studied countless hours both in theory and practice on intra/inter personal relationships. As I work with organizations and listen to the different approaches to risk management using predictive analysis I find people in the risk management profession often overlook the power of knowing where people or in this case risks are coming from within the organization. Risks to financial data or healthcare records are different from risks to a conference room portal application. People must apply common sense to sophisticated models of risk analysis. The only way to get common sense is to drive context into the relationship of the risk to the expected results or impact to the business.

The need for context (common sense) has never been greater. As you look to drive your risk management or even security practices within our organization you must have all four elements in place not just 1, 3 and 4. Context of the risk will empower you to respond in a logical, appropriate, timely and effective manner. Context will also enable you to ensure the people, departments, divisions understand the impact to their world and can also enables the conversations you need to have executive leadership for relational visibility into the risks that truly impact the their world. Without context you will provide less meaningful data and increase the risk exposure to your organization.

In closing I recommend reading Nate Silver’s book The Signal and The Noise and look forward to seeing how all of you apply his astute suggested approach.

S2N Book

Advertisements

Shire Pharmaceuticals Drives Into the Future of Healthcare

Some would say that there is nothing more gratifying than helping people in need. In the case of Shire Pharmaceuticals, helping people with life-altering conditions to lead better lives is core to their business and their culture. Based nearby in Lexington, Massachusetts, Shire focuses on developing treatments for conditions in neuroscience, rare diseases, gastrointestinal, internal medicine and regenerative medicine. The need to stay on the cutting edge of healthcare is paramount to the organization and information security has played a key role in that mission.

Shire’s Senior Director of Information Risk Management & Security, Bob Litterer, came to the company tasked with developing a world class information security function aligned to their business goals. Like so many CISOs today, Bob knew the importance of information security as a business enabler, but needed to drive awareness and create a security culture that embraced their business. In his words, “we didn’t want perform security for security’s sake”. He was also tasked with reducing costs associated with changing compliance requirements, drive-up efficiency, and managing acceptable risk tolerances so the organization could continue to innovate and stay competitive. Quite a tall order when there is so much on the line.

Like any good leader, Bob knew he needed a great team behind him – so he brought in one of our alliance partners OpenSky who helped build a comprehensive Governance, Risk and Compliance (GRC) platform based on RSA Archer.

As you heard from Peter Ridgley, Lead Consultant from OpenSky, explain in the video, Shire was able to quickly spotlight where there was a need for improvement as well as areas where they were successfully hitting the mark. The visibility through RSA Archer allows Shire to do a drill down review of each area to determine how they can improve driving credibility into the management of the program as well as demonstrates its depth.

Additionally, Shire is now able to continue that assessment on a regular basis to report progress, showcase how the information security organization is aligned with the goals of the business, and ensure they are always able to meet changing business needs and compliance requirements.

While this project is impressive in and of itself I am happy to share with you that Shire has earned an important industry accolade as well. Just last week, the company was awarded the OCEG GRC Achievement Award at the 2013 Compliance Week Conference which recognizes organizations that make great strides in improving and integrating their approaches to governance, risk management and compliance. Working with OpenSky, Shire leveraged the OCEG Redbook to provide a framework for managing the GRC Program and it has been paying off in spades. Thanks to the dedication of Shire and OpenSky as well as the power of RSA Archer, Shire gets to take home this honor and we couldn’t be happier.

Leading GRC Platform Used as a CIO Dashboard

During this year’s EMC World in Las Vegas the leading GRC platform was presented during a record attended keynote with Jeremy Burton and Jason Rader who shared GRC from the perspective of a CIO.

This example is one of many use cases that a GRC platform can enable executives to have a clear “real-time” picture of their risk posture.

GRC – A Performance Management Platform or A Success Management Platform?

On May 1st French Caldwell posted a blog titled GRC Will be a Performance Platform in which he references a blueprint that provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. But isn’t that too limiting?

Performance Management is merely a solution category and doesn’t do GRC platforms justice! When considering how GRC platforms span across Finance, Operations, Legal and IT providing organizations ways to manage risks, demonstrate compliance and ensure governance business performance benefits is only one output and to me only represents how an organization has done historically against business objectives. This is important but not all the benefits that a GRC Platform can and should provide a company.

When organizations use GRC platforms that also includes Big Data Risk Analytics not only will they be able to report on past performance to various levels, domains and to different audiences but they will also be able to predict the future. Future performance, future risks, future efficiencies, and most important future opportunities for success. Big Data risk analytics within a GRC Platform should model out opportunities for growth that drive success within each domain. So I think that GRC platforms will not be performance management but  “Success Management Platform”. Might this be a new category?

PS – I would have really enjoyed the panel with Paul Proctor and Network Frontier’s Dorian Cougias. Not only do I find business predictive and risk management conversations interesting I also am equally if not more fascinated by conversations with “the security geeks” of the world as they save our businesses every day. We should all find them fascinating!

imagesCAH4BEPD

RSA Conference Talks Big Data

Image

I just came back from the RSA Conference in San Francisco where I couldn’t turn a corner without someone talking about how Big Data was revolutionizing the security industry. In fact, there was one session that stood out during the conference for me. It was titled “Managing Advanced Security Problems Using Advanced Security Analytics” where Eddie Schwartz, VP and CISO of RSA moderated a panel comprised of four industry analysts including Scott Crawford, Research Director of Enterprise Management Associates; John Kindervag, Senior Analyst at Forrester Research; Neil MacDonald, VP & Gartner Fellow of Gartner and; Jon Oltsik, Senior Principal Analyst from Enterprise Strategy Group.

The panel discussion covered quite a bit of ground including defining what Big Data actually means, the acceptance within security organizations of using big data analytic techniques as well as the prediction of when security professionals will embrace big data analytics and finally how big data can be the answer to the advanced threat problem with it’s incredible scalability and high speed analytics.

Discussion point that I agree with:

1)     Everyone from the moderator to the panel participants acknowledged that the current approach that companies are taking to manage the advanced threat problem fail due to lack of event context and constraints in traditional IT architecture. The panel also pointed out that there are many organizations that are not changing their ways from traditional perimeter based security, anti-virus, etc. due to “what we don’t know won’t hurt us” mentality which leaves the security teams with archaic technology that leaves them with no visibility into the threats that affect their business.

Discussion point that I did not agree with:

1)     Heat maps are a must to provide visualization. This is something I cannot agree with as the notion of a heat map is even to a risk professional becoming obsolete as they only provide a two dimensional view into the risks that could affect the business. They are not multidimensional and only provide areas of risks vs. different views into key risk issues with details.  I have seen organizations phase out heat maps and phase in multidimensional models that provide a way to view risk data from different dimensions so you get a risk portfolio vs. just pretty colors from a heat map. It also should result in creating risk intelligence so organizations can make informed decisions which can and should be enhanced by risk simulations from quantitative models. What was funny was in another meeting right after the session I was handed a “global threat” heat map of the world which showed different threat colors by country on the size of a business card…..which was of no use.

The conclusion to the session did send me away with a good feeling because what I heard was that by using Big Data it solves many things that GRC programs should do which is breakdown information silos, automate the capture of information, normalize/correlate data and organize the information to be able to respond to risks in an organized/prioritized fashion. Sound familiar? I just can’t wait to see the scale of information capture and speed of analytics better enable the “R” in GRC.

Why GRC matters to IT security teams

 

 

 

 

 

Expectations of IT security have never been higher. I talked about this a bit in my last blog . But if you don’t believe me there’s a great paper by Enterprise Strategy Group (ESG) that nicely sums up why businesses are calling for much more sophisticated, business-oriented approaches to IT security. You can find it here (look under ‘white papers’ in the right-hand navigation area)

So if you’re in charge of IT security in your organization, what do you do to meet these expectations?

If you said ‘convince the business to invest in eGRC’ then you’re ahead of the innovation curve and are taking your program to the next level.

What happens without eGRC?

Organizations that haven’t invested in eGRC are typically mired in manual processes, trying to manage security using Word documents, spreadsheets and email. They can’t connect anything to anything and have to duplicate work all the time. One IT security manager told me that his team asks the operations team to answer questions specific to FFIEC regulations in January; and then in February asks the same questions of the same people for the purposes of SOX compliance.

This kind of thing is happening in a million different ways all the time. A recent article from Computerworld, titled “Feds want uber cybersecurity compliance standard”, illustrates this as well.

It quotes Jerry Archer, CISO at Sallie Mae, who is presenting his IT-GRC strategy at the RSA Archer eGRC Roadshow in Indianapolis tomorrow (October 13). Speaking at the SINET Innovation Summit in Boston, Jerry said his agency spent 40% of its budget on complying with regulations. “What is needed is automating compliance to reduce the bite it takes from the budget,” he said.

The kicker is the response that Jerry’s remark got from Josh Corman, director of security intelligence at Akamai. He congratulated Jerry on the 40% figure, saying: “For some it’s 100%.”

The article goes on to note that “the trouble with regulations is that they drive security architectures and prevent data loss that may have little real impact, while ignoring thefts that could be devastating.”

What happens with eGRC?

So how does GRC help? For one thing, it helps you automate compliance processes and efforts so security teams can focus attention, budget and strategy on the threats that truly matter to their business.

Organizations that have invested in eGRC (assuming they’ve adopted best practices and made careful strategy and technology choices) can:

  • Automatically map policies, control standards, control procedures, authoritative sources and assessment questions to one another and see the relations between any and all
  • Track the whole life-cycle of security incidents, reliably prioritize incidents in line with business impact and objectives, automatically assign actions to respond to incidents, and report on incidents in a way that provides meaningful business context to senior management
  • Identify gaps in compliance and satisfy common compliance requirements with a ‘one-to-many’ approach

I’ve said it before and I’ll say it again: eGRC is about enterprise-wide collaboration, visibility and control. It’s time for IT security functions to lead the charge to achieve these things. Not only is it the only way to deliver value to the business, but it will make life so much easier for you!

Recommended Reading:

The ESG Information Security Management Maturity Model, a paper by Jon Oltsik, Senior Principal Analyst, ESG (July 2011)

The pressure’s on for IT security

Pressure is on for IT Security

 

 

 

 

I was speaking to a board member of a large investment advisory firm recently about his expectations of the company’s IT security function. He said: “I just need to know that our data is protected, that IT risks are tied back to the business, that we can maintain the continuity of our business operations, and that we can effectively manage our regulatory risks.”

No pressure, then, right!?

The fact is, a lot of senior management teams and boards are getting wise to the fact that they need more closely linked security, risk management and compliance activities. This is why IT security is linked to GRC and their relationship is so important from both a top-down and bottom-up perspective.

Here are some more expectations I’m hearing from C-level executives and board members:

  • We want to understand how security events, and our responses to them, tie to our risk profile and remediation efforts at the enterprise level.
  • We want to know that our security/IT risk assessments are clearly connected to, and consistent with, our enterprise risk assessment processes.
  • We want to understand how security risks are developing so that the future doesn’t take us completely by surprise. And to minimize the chance of a ‘black swan’ event.
  • We want to be able to put meaningful metrics against security risks and controls; and define key risk indicators, key compliance indicators, key performance indicators for our security team.

In the end, GRC matters to IT security functions because to meet these expectations you need a level of visibility and control, top-down and bottom-up, that only a sustainable eGRC program can deliver. I’ll take a brief look at what eGRC can mean for IT security in a follow-up blog.