Risk Management and Business Context

This week I attended the RSA Security Analytics Summit in Washington D.C. and had the incredible opportunity to meet one of the smartest individuals to date. Nate Silver was the keynote and he covered a lot of ground including 1) an analogy of the proliferation of information via the printing press in 1440 and the most recently the world wide web in 1990; 2) The End of Theory: The Data Deluge Making the Scientific Method Obsolete; 3) The 538 method and lessons from the 2012 elections; 4) the influence of bias in big data 5) the “Signal-to-Noise” ratio which results in increased variables that occur along with the need for a true distribution model to enable trend effective trend analysis; 6) the limitation of technology in some cases where technology was deemed more powerful and a better predictor than the human brain and 7) the use of mathematics to help with predictive modeling. As you can see from the list of topics the presentation was truly engaging and thought provoking.

Signal To Noise Ratio_opt

Towards the end of the presentation Nate Silver provided a suggested approach that not only solidified his presentation but provided actionable guidance in how to better use data as a predictor. The suggested approach is as follows:

1) Think Probabilistically
2) Know Where You’re Coming From
3) Survey the Data Landscape
4) Try, and Err

When given the above guidance, which is clearly outlined in his book The Signal and the Noise, I instantly was able to relate to point number 2….”know where you are coming from” to risk management. The reason why it resonated with me so much is that I am a communications major and studied countless hours both in theory and practice on intra/inter personal relationships. As I work with organizations and listen to the different approaches to risk management using predictive analysis I find people in the risk management profession often overlook the power of knowing where people or in this case risks are coming from within the organization. Risks to financial data or healthcare records are different from risks to a conference room portal application. People must apply common sense to sophisticated models of risk analysis. The only way to get common sense is to drive context into the relationship of the risk to the expected results or impact to the business.

The need for context (common sense) has never been greater. As you look to drive your risk management or even security practices within our organization you must have all four elements in place not just 1, 3 and 4. Context of the risk will empower you to respond in a logical, appropriate, timely and effective manner. Context will also enable you to ensure the people, departments, divisions understand the impact to their world and can also enables the conversations you need to have executive leadership for relational visibility into the risks that truly impact the their world. Without context you will provide less meaningful data and increase the risk exposure to your organization.

In closing I recommend reading Nate Silver’s book The Signal and The Noise and look forward to seeing how all of you apply his astute suggested approach.

S2N Book

Business continuity as an element of GRC. An illustration

In my last blog,  I promised to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management. So here it is.

We’re looking at a financial institution that provides insurance, retirement and investment products, mainly to cooperatives, credit unions and their members worldwide. As a leader in its industry, this company takes risk management and data protection very seriously. Both its own high standards and the requirements of the regulations that it must adhere to make risk management a company priority.

Why doing the right things isn’t always enough
The company was doing the right things. It was carrying out vendor assessments to evaluate the risks presented by some 250 partners. It recorded policy exceptions, such as applications that wouldn’t support new standards for robust passwords. It was also conducting annual business continuity business impact analyses and had disaster recovery plans for all of its key applications.

Sounds pretty robust, right?

The catch is that all of these activities were standalone processes with outputs held by relevant business owners in emails, filing cabinets or limited fileshares. The company’s IT security and risk management team had little visibility of any of this documentation and had no easy way to identify emerging IT or business risks that might affect business continuity or disaster recovery plans. There was also limited collaboration between the IT disaster recovery team and the company’s business continuity team within its corporate risk function.

Senior business executives had even less insight. They just assumed that IT could get a data center up and running again in a few hours. They didn’t appreciate what might happen if a natural disaster struck. They didn’t really understand the risk or potential impact of a data breach, whether through a vulnerability of the company itself or a partner.

The company knew it could do better. It wanted to remove the various disconnects between business users, IT and senior management. “Our focus was to transition from standalone processes to a more complete company-wide view so that we could make better decisions based on the bigger picture without digging into details first,” says the company’s chief information security officer.

What happens when you integrate and share?
So now the company has implemented a central solution that supports both business continuity and other risk management activities.*  It has an integrated tool through which to gather, process, store and report on risk- and infrastructure-related information, including business impact analysis surveys and disaster recovery plans.

Everything is in one place and consistent processes and workflows can be applied to all business areas. Vendor assessments, policy exceptions and other risk-related documentation can all be accessed, reported on, and used to inform business continuity teams and risk management activities. Data from business impact analysis surveys can be combined with metadata about systems gathered through a different process, enabling the company to tie together its system, server and database dependencies. Disaster recovery plans developed with application owners are consistent and, instead of being treated as independent items, can be orchestrated into an overriding plan with priority given to applications based on their criticality.

Senior executives have direct access to a reporting dashboard and can quickly see open risks, vulnerabilities and whether disaster plans have passed their tests. There’s no longer a gap between their perceptions and reality. This visibility has given the IT security and risk management team the ability to justify appropriate investment to fix problems.

And there’s more

The impetus for this company was always the desire to protect its customers and prove itself a trustworthy partner. But it’s also saving a lot of time: a couple of hundred hours from efficiencies in conducting impact analysis surveys; and a 75% reduction in the number of people needed to perform vendor assessments.

So I hope I’ve illustrated my point from the previous blog: a siloed approach to business continuity or risk management is not the way forward; an integrated approach is the only way to get your organization into a best-in-class status among the business elite.

* In case you’re wondering: the solution referred to, which holds all the company’s critical disaster recovery information, is itself backed up to an active offsite instance so that it remains accessible in the event of a disruption taking out the primary tool.

Resources:

Large Financial Services Business Continuity Case Study
Large Telecommunicaitons Company Business Continuity Case Study

‘I didn’t see you!’ or, why visibility and control are vital to eGRC

By Alex Bender, Director, eGRC Programs and Strategy, EMC

The other day I saw a car accident. It made me think back to an accident I had years ago, which involved a car appearing so fast I didn’t see it until we were about to collide. The only thing I could do was to swerve wildly to avoid the collision, thereby losing control of my car and crashing — but at least not into the other car.

Thinking back to that accident and the aftermath — the hours spent on a litany of phone calls to my insurance company, getting repair quotes, getting the car to the garage, making alternative arrangements while I was without my car — I couldn’t help but think about the importance of visibility and control in business, as much as in life. The impacts of the lack of visibility and control are extremely apparent in the car accident example – life changing.

See more, act faster, spend less

When you have visibility you can see where you’re headed and plan appropriately to get there. When you have control you don’t have to just react wildly to changes in your environment; you can act with efficient deliberation to avoid situations that are harmful to your organization.

Lack of visibility and control, conversely, can result in a car crash for your organization; and the crash itself is just the beginning of the toll taken on time and resources. If, despite your best efforts, you’ve been unable to avoid an incident, then visibility and control play a vital role in helping you to respond effectively to the aftermath: to minimize the time and money spent identifying what went wrong, fixing the problem and dealing with the legal, operational and financial fallout.

Requirements for visibility and control

In a previous ‘two-part’ blog I wrote about the importance of collaboration across departments for effective eGRC. Well, visibility and control are the fundamental enablers of effective collaboration. So the question becomes: how do you achieve them? You can’t just wave a magic wand. Organizations of all sizes and types are struggling with eGRC issues precisely because they don’t have the visibility and control they need.

I think that for any strategy, approach or tool to give you eGRC visibility and control, it needs to have three attributes:

  • Integration. As long as information relating to eGRC is held in disparate and disconnected systems or dealt with through disconnected processes (probably using ad-hoc tools, excel spreadsheets, word docs and many times just quick conversations), you can never get a clear view of what you know, what you’ve don’t know, what’s happening and how it all relates. Conversely, if you can bring everything together in one place, not just as a central dumping ground but in a way that lets you connect it in meaningful ways, then you’re most of the way to having the visibility you need — to be proactive, rather than always firefighting, and to see the big picture that lets you take a strategic approach to solve your business needs.
  • Automation. One of the difficulties in achieving integration and in dealing with the results is that there’s just so much to integrate and manage in a manual way. Too much to have a hope of doing it effectively without technological help. With the best will in the world, spreadsheets won’t cut it. Manually pulling data from hundreds and or thousands of systems won’t cut it.

To avoid being swamped by information and actions, to be able to act and respond in a controlled way, you need tools that will help you up the eGRC learning curve and that will automate processes wherever possible. But you do not want to automate a bad process since that will just make bad things happen efficiently. Sometimes it is important to revamp a process while you are implementing your eGRC solutions and strategy. Questions to ask yourself are:  Do you have to respond to each new policy or regulatory requirement from scratch or do you have access to eGRC content that prevents you from having to continually reinvent the wheel? Do your processes depend on someone remembering to email someone else or do you have workflow management tools that automatically enforce standard processes? It’s obvious which answers suggest an organization more in control of eGRC.

  • Usability. However integrated and automated your eGRC efforts are, it will be of little avail if it’s too hard for people, especially non-experts in eGRC, to understand what’s going on or what they need to do. Usability is a critical requirement because visibility is only valuable if people understand what they’re seeing; and control is only valuable if people are willing to pick up the ball and do something useful with it. So you want the flexibility to be able to adapt automated processes to fit the way you work; you want to be able to present information to busy executives in ways that they understand; you want to make it easy for people to collaborate, not put them off with impenetrable technology.

When you’re looking at approaches to eGRC and assessing tools that might help you develop eGRC strategies and processes, keep these criteria in mind.

Recommended Reading:

OCEG – Red Book 2.0 (GRC Capability Model)

Don’t we all work for the same company? Part 2

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Yesterday’s blog started talking about how important collaboration is to eGRC issues such as privacy of information. I asked you to consider any kind of information breach and looked at why IT and legal will inevitably be involved and have to work together. I recently spoke to Barb Mosher about the Ponemon Survey and she wrote a great article titled: GRC Initiatives Critical, Yet Enterprise Strategy, Collaboration Lacking which outlines the key issues I have described in this blog series. Let’s now look at the other two key functions to get drawn in: operations and finance.

Operations in the firing line

The effect of a breach on an organization’s operations will very much depend on the nature of the breach and the organization’s business. As data-breach notification laws become more common, every breach will at least require customers to be informed — especially those customers directly affected. Many breaches will also have a direct effect on the organization’s ability to continue to deliver its products or services, whether because a network or website must be taken offline, product functionality must be reengineered, or a back-office process must be suspended until the issues have been investigated and remediated.

If an organization is lucky, any disruption to business-as-usual will be brief; but we’ve seen that it can take weeks to restore affected services, giving customers more to complain about and reporters and bloggers more to write about. Collaboration between IT and operations is critical to managing the timelines for service restoration or product remediation, and for the related task of managing customer expectations.

Customer (and media) communications following a breach are fast becoming a minefield for organizations, with the potential to explode no matter what they do. Pressure is mounting for notification to happen as soon as an organization becomes aware of a breach, whereas even a year ago it was not unusual for months to pass between breach identification and notification. This new demand is perfectly understandable: if private information relating to you has been compromised, you’d rather know sooner than later. But it means that organizations may not have time to understand what’s really happened before they have to tell customers; which in turn may necessitate embarrassing corrections as the picture becomes clearer. It’s really not unusual for the investigation of a breach to reveal that it’s more serious than the organization first realized.

If pressure continues to mount to speed up the notification process, it will become more vital than ever for IT, operational and legal teams to work together to clarify understanding across the organization of what’s known, what isn’t known, and what might be subject to further discovery and possible revision.

Finance in the command center

Ultimately, organizations need to know what the total financial implications of a breach are, because risk management is ultimately about weighing the cost to prevent a risk against the likelihood of it happening and the cost to the organization if it does. When a breach happens, the finance department needs accurate information in order to validate the organization’s approach in relation to this kind of risk, or to adjust it going forward.

Reporters will pounce on any movement of a company’s stock price in the days and weeks following a breach. If the price drops, it will be loudly proclaimed as a sign that the company’s brand has suffered as a result of the breach. We may never know how far that is true. Just as one cold winter doesn’t imply anything one way or the other about the reality of global warming, so a momentary stock price movement can’t really tell us anything about whether a company’s reputation has been significantly or permanently damaged. But in measuring the true financial cost of a breach, organizations do need to find ways to measure the effect on customer, investor and shareholder perceptions and behavior; as well as the more obvious costs of investigating, reporting on and remediating the breach, financing legal battles or settlements, and meeting the cost of fines or other sanctions.

To be able to accurately assess these costs, the finance department needs to be able to see and clearly understand what effect the breach is having on IT, legal, operations and other functions across the business.

So what department do you work for?

Thinking through the implications of any privacy-related incident, it becomes apparent that privacy is no longer (if indeed it ever was) purely a legal issue or an IT issue — no matter who is regarded as being its ultimate ‘owner’ from an organizational point of view. And as with privacy, so it is with most eGRC issues.

So the next time you need to talk to someone in another part of the organization to respond to an eGRC initiative, and someone asks what department you’re from, say you’re from the ‘legal unification department’ or the ‘IT unification department’ and your responsibility is to work across the organization to get everyone headed in the direction the organization as a whole needs you to go.

Further reading:
1. The Ponemon survey


 [S1]Or ‘My last blog’ or ‘Tuesday’s blog’ or whatever. And link to it.