How do you build a risk management plan for the enterprise that will garner executive management buy-in? In this podcast, industry expert Ross Armstrong will discuss ways to balance risk management with the level of threat faced by the enterprise, and for justifying the costs involved in protecting your organization. He will offer tips for successfully presenting your CEO with a justified risk management plan.
Read the full transcript from this podcast below:
Karen Guglielmo: Hello, and welcome to SearchCIO.com. My name is Karen Guglielmo. I'm the editor of the site, and would like to welcome you to today's expert podcast on risk management. Today I'm joined by Ross Armstrong, senior research analyst at InfoTech Research Group. At InfoTech, Ross is an analyst focusing on IT security, legislative, and regulatory compliance and the healthcare industry.
Today, Ross is joining us to talk about risk management and also offer some advice on how you can build a cost-effective risk management plan. Welcome Ross.
Ross Armstrong: Hi Karen. Thanks for having me.
Karen Guglielmo: Great. Today we're here to talk about risk management. Before we begin our question and answer session, can you just give our audience a brief overview of today's topic?
Ross Armstrong: Sure thing. Risk management has been a hot topic in recent years, and I see no reason for this to change in 2007. In fact, I think that what we're going to see is even more attention paid to risk management, especially as compliance requirements continue to grow, security threats increase, and IT executives are pressured to mitigate risk while justifying every penny they spend.
So, really, I see a much greater awareness of and focus on risk management in 2007, which is good, however, there are still too many IT professionals out there that use the word risk without knowing its real meaning and its relation to business support.
So to really know the meaning of risk you have to understand how your company views risk. You know, you need to sit down and talk to business unit leaders and find out what processes, procedures and tools are in place that help them to identify and prioritize or manage risk. You know a best case scenario is having a risk management group within the enterprise that can guide you throughout this process. The worst case scenario is finding out that the company has no concept of risk. So, if this is the case, it's still your responsibility as an IT executive to make effective business decisions.
So what I'd like to talk about today is how IT should address risk effectively in order to strength the enterprise's security posture as well as its decision-making abilities.
Karen Guglielmo: Thanks Ross. Now let's get started on our Q&A, and possibly address some of the questions and issues CIOs are facing today on risk management. So let's start with the basics. What would you say is risk and where would you say it comes from?
Ross Armstrong: Yeah, that's a pretty meaty question. Risk, in a nutshell, risk is the certainty of actions and their likely consequences. High certainty means low risk. Low certainty means high risk.
Every enterprise and every department within an enterprise faces different risks. These risks usually take the form of, of threats to the current viability or future success of the business. Effective IT leaders move the business forward by consistently mitigating risk.
Conversely, ineffective leaders fail to recognize critical threats, and as a result, frequently fail to add value to the business by protecting it. Risk itself comes from a variety of origins. You have external risks, such as natural disasters or events like the September 11th attacks, all of which demonstrate the critical importance of a risk management program. Emerging business models can also create risk. So market trends such as off-shoring, outsourcing, and global supply chains create new risks that must be addressed on an enterprise-wide basis. You know, regulations and regulatory compliance, you know, the ones that come to mind are Sarbanes-Oxley, Basil 2, HIPAA, and the USA Patriot Act and they're all driving a need to manage risk in broader terms.
Then you have, you know, your other more traditional risk categories such as, you know, financial risks, operational risks, strategic risks and technology risk, which, of course, we're going to focus on today, which arise from, you know, either reliance on obsolete systems, failed technology, hacking, viruses and so forth.
Karen Guglielmo: So how would you say CIOs should really try to convince their bosses that risk management is important and can add value to the business?
Ross Armstrong: Well, you need to demonstrate, first of all, that at the end of the day risk is a business issue, not an IT issue. As an IT professional however, it's your job to be a strategic enabler of corporate goals and objectives as they relate to risk management.
So, you know, you take security as a prime example. Security is an area that is administered and controlled by IT, but it's really up to the business to decide how, where, which and when security IT solutions will be put into place.
So it's really about executive management's mind set. So risk, and in particular, IT security, is not necessarily a technology issue. It just uses technology answers.
You know, IT managers and CIOs who do not understand the meaning of risk and the criticality of risk management are making business decisions with one arm tied behind their backs and another hand covering their eyes. You know, a successful IT organization uses risk management best practices to help the enterprise mitigate threats to the enterprise, you know, so effective risk management can help the IT decision maker protect and add value to the enterprise and its shareholders by improving decision making and project prioritization, providing a structured understanding of what threats are, contribution to sufficient allocation of resources and optimizing operational efficiency.
Karen Guglielmo: Now going back to even the basics that we talked about before, how, as a CIO, do you know if your enterprise is at risk? Are there any signs that they should look for?
Ross Armstrong: Well, the most proactive way to find out if you're at risk is to conduct a risk assessment. You know, depending on the size of the organization, what industry it's in, I mean, the complexity of that risk assessment is going to vary. So it can be either something very basis or something that's much more complex, but regardless of the approach, a risk assessment involves compiling threat scenarios much like those that would be generated during disaster recovery planning, for example. You would also gather the risk categories that we discussed a few questions ago, and of course, a comprehensive list of business critical and mission critical system.
So once you've compiled a list of all three categories and areas that are relevant to your systems you will be ready to conduct that risk assessment. So you start by creating threat scenarios or profiles, you know, alongside a current detailed map of the organization's network.
Karen Guglielmo: In addition to the risk assessment plan, or as part of the risk assessment plan, does it also help you show what's most at risk in your IT infrastructure?
Ross Armstrong: Absolutely. You know, in terms of the actual IT infrastructure you find out what's most at risk by taking it a step further and performing a vulnerability assessment. You know, vulnerability assessments allow IT to be more proactive in securing those systems by identifying the weaknesses that could be exploited in their systems, and then also by predicting the effectiveness of additional security measuring for protection information resources from attack.
So although it is possible to conduct security vulnerability assessment s in house, you know, best practices dictate that you bring in an outside authority to conduct the tests for you to ensure objectivity.
Karen Guglielmo: Interesting. And you talked before about possibility having a risk management team within your organization. Is that realistic for all organizations and company sizes, or is that mostly for the bigger enterprises?
Ross Armstrong: Well, I think it definitely applies to mid-size organization as well, and, of course, the larger organizations, which, you know are going to work hand in hand with other groups such and internal audit teams and security teams and what have you. Risk management teams within a small enterprise, you know, small enterprises are largely restricted by fewer resources, and this is a pinch that a lot of small enterprises are feeling with compliance with Sarbanes-Oxley. So, in that regard, you need to have, at least one person who is in charge of risk management and can take full ownership of that issue.
Karen Guglielmo: Okay. That makes sense. Back to the infrastructure question we were talking about before, how do you know if one infrastructure element is say, more critical, than another?
Ross Armstrong: Yeah. This is where a business impact analysis comes into play. So you have, you conducted your risk assessment, you've conducted your vulnerability assessment. Then we move on with that information to a business impact analysis. The overall purpose of a business impact analysis is to put an approximate dollar value on what interruptions in functionality will cost the organization. So the BIA justifies the expenditures necessary for developing a thorough disaster recovery plan by appropriately balancing the cost of the plan against the value of the resources and the potential impact on the organization.
So, by all means, the enterprise must kick off a business impact analysis for all components of the IT infrastructure as well as other risks, risk areas such as personnel, physical security and business continuity planning.
Karen Guglielmo: Okay. So now actually, let's just turn to spending and money. How do IT executives determiner where to spend their budget money, say, in regards to risk management?
Ross Armstrong: They do this by aligning risk with mitigating technologies. So after the business impact analysis and the vulnerability assessments have been conducted, you know what's most at risk, what it's going to cost you if those risks are actually exploited. So, by then, you take that information and use it to drive purchasing decisions by, like I said, aligning risk with those risk mitigating technologies.
So, you know, for example, like, point security tools are falling by the wayside, so the organization might determine that they're going to stop buying tools with only a single security and function and instead invest in integrated solutions such as unified threat management devices for the gateway and security suites for the desktop, you know, while such tools do not offer all of the required integration, they streamline management to a degree and improve security, which, may come from the business impact analysis, for example, that the organization really wants to start focusing on centralizing their IT security by using whatever means available.
Karen Guglielmo: Great. Now I know we've talked a lot about the planning and getting set up for risk management and making decisions, but what about long term? What are specific ways that CIOs can manage risk for the long term?
Ross Armstrong: There's a couple of things CIOs can do for that. First of all, they can manage risk long term by implementing cohesive, enforceable policies and internal controls. Policies should always be the guiding documents for risk management at all levels of the organization. Technologies such as endpoint security, for example, will allow for the seamless enforcement of policy, but until that time, the policies of the organization must make sense from both a business risk point of view as well as the support that the technological tools are going to provide for those policies. You know, also long term I would advise using a best practices framework such as COBIT or ISO 17799 to guide and drive and inform policy creation. These frameworks can help you focus on core IT processes and help determine how IT will identify detective manual controls that can and should be eventually transformed into preventative automated controls that your risk management initiatives will ultimately govern, and the best part is that these frameworks are freely available though, you know, proprietary tool sets or consultants may cost a few dollars.
Karen Guglielmo:Got it. Now since we're talking about long term, how do you say, or how would you suggest CIOs measure their progress going forward?
Ross Armstrong: I would suggest they measure their progress going forward by using metrics to gauge success. Metrics are measurable business processes that can help paint a picture of the company's overall state of health with regard to risk. So in additional to providing a snapshot of the enterprise's current state of risk, metrics can be used to measure and respond to changing requirements over time because risks will also change over time.
So in the case of security, you know, we've seen already that there exists many different types of risk across a multitude of business areas. So since IT is in charge of information security, it's up to the CIO to establish and use security metrics that will tell the security story to executives and the shareholders.
So each IT professional will have to adapt or modify security metrics to their own unique business processes and threat scenarios.
Karen Guglielmo: Got it. And finally, the big question of the day, I'd say, is how would you suggest CIOs justify the cost of risk management to their bosses?
Ross Armstrong: Yeah. Return on investment, you know? It's a simple calculation for the most part with particular regard to security you can calculate return on security investment. So, while a basic return on investment calculation can include revenue generation, cost savings or increased productivity, it's usually the new revenue part of the equation that drives traditional ROI calculations. Security ROI, or return on security investment, ROSI, as it's known, is more about risk mitigation and is better expressed as a cost saving initiative.
So it's very important to understand the relationship between security investment and risk mitigation even if you don't end up using those formal calculations.
Karen Guglielmo: Great. And on that note, that concludes today's podcast. Thanks again to Ross Armstrong for taking the time to speak with us today and thank you all for listening.
This was first published in January 2007