Large organisation IT risk can be a lot like the parable of the three blind men talking about tree trunks, ropes, and pillars while touching an elephant. Everyone's actually working on the same big picture, but their view of the subject at hand can be completely different.
The board wants to drive shareholder profits and mitigate risk. It doesn't want to get involved in operations — that's management's job, and managers are usually far from being IT experts.
Management doesn't really understand IT, either; it just knows it has to work. Every dollar spent on the IT department's "the sky will fall unless we buy this new toy" missives can't be spent on further growth to report to the board. And many projects have no direct ROI. As Yuval Illuz, deputy CIO of ECI Telecom, Israel, put it: "Getting management to pay attention to information security can be difficult, because we're trying to prevent something that hasn't happened yet."
Finally, the IT department is viewed as a cost centre when management is constantly trying to minimise costs. It doesn't get a lot of attention while it tries to hold things together with scant resources, but as soon as there's a crisis, it's the IT department's fault (and problem).
How do you formalise procedural cross-organisational understanding about IT risk? The first thing that might spring to mind is the certifications and quality-control paradigm, but Colin Lobley isn't a fan of IT security standards. While he said that it shows customers or buyers a nice badge to satisfy their own standards, most buyers rely on certification instead of the serious issues of performance and risk management.
"You can achieve the ISO standard relatively easily and cheaply," said Lobley, director of risk management firm Manigent. "If the board has it, why should they give IT security any further attention or budget? Even if a company suffers an incident, they seem to have some level of protection in terms of market perception if they have the ISO."
Yehuda Cagen of Xvand Technology Corporation agrees that formal and robust elbow grease is valuable. "Start — and agree upon — an internal risk assessment that takes into account the potentially affected business areas, impact and probability of failure, the estimated number of probable incidents, and the costs of mitigating the risks," Cagen said. "Then, you can outline what the company can reasonably afford for risk management.
Cagen spoke about a business case where a new president and VP joined an organisation only to have the IT team refuse to connect their mobile devices to the company network. The reason given was the very vague and indistinct "security policies".
"When an IT team speaks in ambiguous or veiled terms, management typically assumes they're incompetent or hiding something," Cagen said. In this case, the IT edict was found to be correct, but he said the root of the issue was inter-departmental miscommunication.
The bigger the organisation, the bigger the gap between stakeholders can be, making security risk assessment very much the IT department's problem and nobody else's. But establishing formal lines of procedure and communication only happens when everyone buys in. As Stephane Charbonneau, CTO at Ottawa security vendor Titus said, "Data security is not an IT issue, but a business imperative."
The key to getting everyone on the same page is to use formal policies to break the language barrier — one that Colin Lobley thinks will always be there. "The cultural gap and language barrier between the IT departments or CISOs and the board is too big to bridge," he said. "Well-established organisational constructs are perfectly sufficient to support a more efficient model of IT security management. It means spending on IT development or security will be adequate, and CISOs can stay doing what they're good at — security."
It's all, Lobley added, about the structure. Security is only one way to manage risk, and the chief risk officer in large organisations has a wider remit. But because the CRO is usually in a board or executive role, it's appropriate to use him or her as the translator between the head of information security and the board.
Other security experts we talked to agreed. Though they wouldn't name clients, one said, "Very few companies — tech and non-tech alike — are mature enough in their risk thinking to articulate risks in the same terms as performance. Nor are they mature enough to assess and report on the alignment of their risk exposure against an agreed corporate risk appetite for achieving those objectives.
If there's a magic bullet for communicating between IT and an enterprise or organisational board, framing risk in financial terms comes as close to it as anything.
According to Lobley, too many businesses fail to set quantitative parameters for risk (what he terms risk appetite) and assess risk with meaningless metrics like "1 to 5" or "very low to very high". "It's pointless," he said. "It's like saying, 'We think there are risks, but we don't know exactly how high.' It makes it very difficult for a board to invest in controls confidently."
Instead, align the language. Let's say you enter a new market with KPIs of $3 million revenue in the first year, and the board has a high appetite for risk of 25 percent, or $750,000 for the initiative. A risk manager needs to assess risks in those terms. So if risk A is worth $100,000, risk B $500,000, and risk C $300,000, that's a total exposure of $900,000. A board can quickly see that this is above its agreed risk appetite and respond appropriately.
In a real-world example, Lobley worked with a client outside the tech sector. When he asked frontline staff how the business was impacted from an incident that caused the IT system to go offline for two hours, the response was simply "not a lot". Upon talking to management, however, it soon became apparent that the company had exposed itself to significant risk. Client contracts and SLAs promised a response to customer queries within 90 minutes, which the two-hour downtime violated.
"They were lucky because there were no penalty clauses," Lobley said. "But when it comes to contract renewal, will the customer be disgruntled or concerned about the level of service? Will they negotiate the price down due to inadequate service, or worse, go to a competitor?"
It was another case where he said the risk of IT downtime was scored on a scale of very low to very high. "It wasn't articulated against the objectives of the business — dollars. [The risk of] losing a contract renewal over one small IT downtime is very low, let's say it's 2 percent. But if the contract renewal was worth $5 million, then the overall risk of likelihood times impact is $100,000."
Framing threats not as IT risks but as business objectives also lets you review exposure against the risk limits you set ahead of time. Over-exposed, and you'll need more investment in controls. Underexposed, and you can soften controls and free up funds that other departments are no doubt clamouring for.
To further the concept above, let's say you have a $2 million product pipeline and ascertain an IT risk exposure of $600,000. If your risk appetite is $500,000, you can spend $100,000 on risk control. If that mitigates the risk, it can cement your reputation as a secure and trusted provider. If your subsequent marketing based on that increases business by 10 percent, or $200,000, your risk management investment has doubled your money.
The Kentucky Department of Education uses an information portal called Infinite Campus to deliver grades, attendance, registration services, class schedules, etc, for students and parents across the state. About two weeks before the start of the autumn 2013 semester, the department's IT organisation noticed an attack pattern directed at the Infinite Campus website, seemingly an attacker probing for vulnerabilities. Not long after, a distributed denial-of-service (DDoS) attack was launched that locked students, parents, and administrators out.
The department used several IP mapping and packet selection techniques to intercept the attack, and the battle was often fought in real time, which tied up IT resources as they tried to keep up with each fresh wave of attacks. Department officials, who didn't know what a DDoS attack was, were demanding action; school was starting in two weeks. Nobody knew what anyone else was talking about, and the situation was escalating.
The security services of telecommunications provider AT&T were called in when the department realised that it needed someone to connect the interests of both departments in a unified front. AT&T used proprietary algorithms and a database of over 1 million threat signatures to help the department's IT staff monitor, analyse, and respond to the threat, and service was restored.
Crucially, it was all done in the cloud, which meant that IT didn't have to ask management for more money to spend on infrastructure or software changes that would take even more time to explain and plan for. The fix didn't impact officials any more than the problem already had, and the results were as fast as they'd demanded.
Of course, risk assessment has to cover much more than just advanced persistent threats and cybercrime. When employees are let go, for example, organisations need very strict and proactive policies and workflows to account for and review user access and privileges. Large-scale breaches like the recent Target credit card incident are embarrassing enough, but those perpetrated by disgruntled former staff members send a very clear message to the marketplace that you don't even have your own house in order, never mind the bad guys outside.
The smart money is also on getting IT involved in big projects or changes from the get-go — everything from product launch dates to mergers and acquisitions (which could expose the IT environment to new systems and data that need work to integrate).
In a recent report from SolarWinds, which produces IT management software and monitoring tools, 300 IT pros in the US and Canada were polled about IT's role in risk management. Referring to the results, the authors said technology has become important enough that "back-of-the-house IT pros" need to take a seat at the table. Tellingly, only one third of those surveyed felt confident in their ability to provide strategic IT-related business advice. To do so, more than half said they'd need more training in their area, and just under 40 percent said they'd need a better understanding of their companies' business.
Risk management is becoming a more urgent factor in business because of the advances and expansion of IT, and understanding between stakeholders in your organisation is critical. When (not if) an outage, data corruption, external attack, or other disaster strikes, will you be ready?