The CIO must deliver IT services to enable the business to run effectively. The CIO must also protect information to prevent it from being lost or stolen. The CIO walks on the edge of a sword, balancing service delivery on one side and liabilities on the other. Straying too far on either side will result in failure, and that failure may be catastrophic.
We have been managing risk from the time we left the trees to modern times. Our risk model is still based on primal instincts (fight or flight). It was very simple and our choices were simple. We made the choice to eat, get eaten, or run away. We had to decide if the tiger was smiling because its belly was full or because it saw us as the next meal. We still use that same habitual way of thinking to deal with today's "tigers," and we can be led to make less than optimal decisions.
At a basic instinct level, our risk management skills are not well suited to making risk decisions in the complex environment in which we live today. If you consider a medium-sized network of 4,000 devices with routers, switches, servers, workstations, and printers, about 6.9 billion electronic events are generated every working day. Now think about which of those events could affect you or your organization in a negative way. How about in a positive way? We need tools, processes, and methodologies to help us make informed decisions when managing risks, especially information and IT risks.
With the advent of the Internet we now have a single worldwide network or, as Kevin Kelly from Wired Magazine describes it, "The Machine." The Machine is composed of billions of computers, routers, switches, and mobile devices, all with a view into this network. And with this single network we have ways of doing amazing things. We can communicate around the world. People can read what is going on across the planet almost at the moment an event is happening.
Think about some of the events that have occurred over the past decade and we knew about it the minute it was happening. We see pictures of disasters within minutes of the disaster happening. People have digitized this world into The Machine. And it will become far more connected. And the risks? If you don't keep up, you will fall behind and become a have-not. If you keep up, you pay the price of evolving faster than your people can evolve. You end up with technology that is too sophisticated to be understood. You end up with too many events happening. And you cannot make good decisions without good information.
We are in a war zone and we do not know it. The war zone is cyberspace. The events that happen in cyberspace happen a million times faster than events in real-time. The events happen all over the world and it is a global economy. Because we are all connected, we also are connected to people with criminal intent. Those people are intent on stealing your money, information, and anything of value. The world market for information is in the trillions of dollars. And it does not matter how it was gotten-the market is there for information.
Today the biggest risk in cyberspace is misunderstanding. According to the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) report entitled "The Financial Management of Cyber Risk," most executives wait until they are compromised to put a reactive plan in place. Waiting until after the problem has occurred damages reputations and costs more money.
Reactive plans are too late. It is the proverbial "closing the gate after the horses are gone." According to the Ponemon Institute, the average incident cost to an organization rose from $4.5 million in 2005 to $6.65 million in 2009 for a security breach involving credit cards. And we cannot estimate the damage to reputation-not to mention the theft of intellectual property that has cost billions of dollars. It has cost companies dearly.
Risk management is something we do every day. We manage risks as we walk across a street or drive down the highway. On an individual basis, we manage risks fairly well, although we always hear stories about people who do not think about the risks and manage to hurt themselves or worse because they did something stupid. At an organizational level, we do not manage risks well. This is due to the complexity of organizations and systems. At some levels, we manage risks fairly well. However, as we have seen in many of the failures of organizations, risk was not managed well. Risk management is ad hoc management at best.
We have not formalized risk management in most organizations. The closest we come to enterprise risk management is the auditors and the board. In some organizations there is the recognition that risk must be managed at the corporate level and executives must be aware of risks in making key business decisions. In those organizations, there is an audit advisory committee that advises the board and directors on business risks. These are key business decisions that change the way an organization conducts business. Typically, these are focused on rewarded risks, which are risks associated with investments that create value for shareholders. What is missing is the incorporation of operational risks into these key business decisions. As indicated by a number of studies, operational failures can cause significant losses. In reality, risk management is still very much fragmented and managed within business lines and geographic boundaries.
Even more fragmented are risks associated with IT. The reality is that we are all heavily invested in cyberspace. We do business in cyberspace because it reduces our costs. We do business in cyberspace because our partners and customers do business there. We use Web sites to provide information to our customers, our partners, and our competitors. We use the Web to inform, transact, and communicate. We do not manage the risks associated with cyberspace as business risks. Cyberspace is an enterprise-wide risk management issue. It should be at the board. It should have a strategic, cross-organization focus.
Cyberspace has both rewarded risks and unrewarded risks (the organization is compelled to invest in security to prevent data loss or meet compliance). The requirement is to recognize that cyberspace risks are both horizontal across the organization and vertical within business units.
Risk management is an integral oversight function to help organizations avoid or mitigate situations or events that can harm individuals, groups, or the organization. Risk management is not just about organizational harm, but is also about how services are delivered. Risk management does not reduce risks; it measures and reports risks. It is really simple why you manage risks:
- To reduce or mitigate liabilities
- To improve or maintain service delivery
Information risk management is about getting the right information to the right person at the right time while preventing the wrong information from getting to the wrong person at the wrong time. And what we are seeing is that information risk management is still considered a technical issue to be dealt with by IM or IT staff. According to the ISA-ANSI publication The Financial Management of Cyber Risk, most enterprises categorize information security as a technical or operational issue to be managed by the IT department. This misinformation is being fed by outdated corporate structures and the lack of an overall strategy dealing with information risk management.
In the ISA-ANSI publication, they indicate that the Chief Financial Officer (CFO) as opposed to the CIO or CISO should be the most logical person to lead enterprise risk management, including information risk management. The problem is one of education and time. To properly inform a CFO, they need to have some background in IM/IT to understand some of the nuisances that make up information technology. Because of the complexity, there is no single person who has that understanding. That is why we must automate risk management to allow the information to be presented in a meaningful way. The Federal Information Security Management Act (FISMA), which was passed in 2002, is now looking toward continuous monitoring or near-real-time risk management so that on a real-time basis, senior executives understand the security state of their information systems.
We need to consider risk management starting at the top. We have all heard of enterprise risk management (ERM). ERM is usually practiced at the board or executive level in making strategic decisions. At the enterprise level, risk management as defined by ISO 31000 (2009) enables an organization to
- Increase the likelihood of achieving objectives;
- Improve the identification of opportunities and threats;
- Encourage proactive management;
- Comply with legal and regulatory requirements;
- Improve governance;
- Improve controls;
- Better allocate and use resources for risk mitigation;
- Reduce losses and the impact of risks to objectives;
- Improve loss prevention and incident management; and
- Improve organizational resilience.
Information risk management is a part of ERM. Information risk management is about managing the risks to your information. As described by the ISA-ANSI report on the financial management of cyber risk, information risks must be considered at the corporate level and not left to IT. Balancing the availability of information with the right level of access controls to prevent the wrong information from going to the wrong person is important. Understanding the balance between controls and access is critical.
Whether an order is processed, a credit card is used, information is transmitted to a truck to move goods, or a machine executes a set of instructions to complete a job, some information is processed and a transaction occurs. It does not matter if it is a banking transaction, an order transaction, or a manufacturing transaction. There are steps taken to complete the transaction. Getting the right information to the right person at the right time will result in successful completion of the transaction. Getting the wrong information to the wrong person at the wrong time may result in a failed transaction. Worse yet, getting the wrong information to the wrong person at the wrong time represents a liability.
So what do we mean by right information? How about the wrong information? It depends. The right information means something different to every person. We can define right information as information with relevance to a situation or a decision. The information could have positive or negative relevance. Usually we associate right information with making decisions, and with the right information we hope we are making good decisions. Wrong information has a negative context. We can associate wrong information with making poor or bad decisions. And in some context, the information could be good information; but in the wrong hands, such as theft of credit card information, it will represent a liability. We also need to consider that incorrect information will definitely lead to bad decisions. This means that in terms of risk management, we have to manage our information better or else we will make bad decisions based on poor information (Figure 1).