IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives Information Security Today Book Proposal Guidelines IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives Book Proposal Guidelines
IT Today is brought to you by Auerbach Publications

IT Performance Improvement



Networking and Telecommunications

Software Engineering

Project Management


Share This Article

Free Subscription to IT Today

Powered by VerticalResponse

Service Delivery Platforms: Developing and Deploying Converged Multimedia Services
Sustainable Enterprise Architecture
Data Center Storage: Cost-Effective Strategies, Implementation, and Management
Best Practices in Business Technology Management
The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results
Cyber Security Essentials
FISMA Principles and Best Practices: Beyond Compliance

Why Risk Management?

Mark Scherling

The CIO must deliver IT services to enable the business to run effectively. The CIO must also protect information to prevent it from being lost or stolen. The CIO walks on the edge of a sword, balancing service delivery on one side and liabilities on the other. Straying too far on either side will result in failure, and that failure may be catastrophic.

We have been managing risk from the time we left the trees to modern times. Our risk model is still based on primal instincts (fight or flight). It was very simple and our choices were simple. We made the choice to eat, get eaten, or run away. We had to decide if the tiger was smiling because its belly was full or because it saw us as the next meal. We still use that same habitual way of thinking to deal with today's "tigers," and we can be led to make less than optimal decisions.

At a basic instinct level, our risk management skills are not well suited to making risk decisions in the complex environment in which we live today. If you consider a medium-sized network of 4,000 devices with routers, switches, servers, workstations, and printers, about 6.9 billion electronic events are generated every working day. Now think about which of those events could affect you or your organization in a negative way. How about in a positive way? We need tools, processes, and methodologies to help us make informed decisions when managing risks, especially information and IT risks.

With the advent of the Internet we now have a single worldwide network or, as Kevin Kelly from Wired Magazine describes it, "The Machine." The Machine is composed of billions of computers, routers, switches, and mobile devices, all with a view into this network. And with this single network we have ways of doing amazing things. We can communicate around the world. People can read what is going on across the planet almost at the moment an event is happening.

Think about some of the events that have occurred over the past decade and we knew about it the minute it was happening. We see pictures of disasters within minutes of the disaster happening. People have digitized this world into The Machine. And it will become far more connected. And the risks? If you don't keep up, you will fall behind and become a have-not. If you keep up, you pay the price of evolving faster than your people can evolve. You end up with technology that is too sophisticated to be understood. You end up with too many events happening. And you cannot make good decisions without good information.

We are in a war zone and we do not know it. The war zone is cyberspace. The events that happen in cyberspace happen a million times faster than events in real-time. The events happen all over the world and it is a global economy. Because we are all connected, we also are connected to people with criminal intent. Those people are intent on stealing your money, information, and anything of value. The world market for information is in the trillions of dollars. And it does not matter how it was gotten-the market is there for information.

Today the biggest risk in cyberspace is misunderstanding. According to the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) report entitled "The Financial Management of Cyber Risk," most executives wait until they are compromised to put a reactive plan in place. Waiting until after the problem has occurred damages reputations and costs more money.

Reactive plans are too late. It is the proverbial "closing the gate after the horses are gone." According to the Ponemon Institute, the average incident cost to an organization rose from $4.5 million in 2005 to $6.65 million in 2009 for a security breach involving credit cards. And we cannot estimate the damage to reputation-not to mention the theft of intellectual property that has cost billions of dollars. It has cost companies dearly.

Risk management is something we do every day. We manage risks as we walk across a street or drive down the highway. On an individual basis, we manage risks fairly well, although we always hear stories about people who do not think about the risks and manage to hurt themselves or worse because they did something stupid. At an organizational level, we do not manage risks well. This is due to the complexity of organizations and systems. At some levels, we manage risks fairly well. However, as we have seen in many of the failures of organizations, risk was not managed well. Risk management is ad hoc management at best.

We have not formalized risk management in most organizations. The closest we come to enterprise risk management is the auditors and the board. In some organizations there is the recognition that risk must be managed at the corporate level and executives must be aware of risks in making key business decisions. In those organizations, there is an audit advisory committee that advises the board and directors on business risks. These are key business decisions that change the way an organization conducts business. Typically, these are focused on rewarded risks, which are risks associated with investments that create value for shareholders. What is missing is the incorporation of operational risks into these key business decisions. As indicated by a number of studies, operational failures can cause significant losses. In reality, risk management is still very much fragmented and managed within business lines and geographic boundaries.

Even more fragmented are risks associated with IT. The reality is that we are all heavily invested in cyberspace. We do business in cyberspace because it reduces our costs. We do business in cyberspace because our partners and customers do business there. We use Web sites to provide information to our customers, our partners, and our competitors. We use the Web to inform, transact, and communicate. We do not manage the risks associated with cyberspace as business risks. Cyberspace is an enterprise-wide risk management issue. It should be at the board. It should have a strategic, cross-organization focus.

Cyberspace has both rewarded risks and unrewarded risks (the organization is compelled to invest in security to prevent data loss or meet compliance). The requirement is to recognize that cyberspace risks are both horizontal across the organization and vertical within business units.

Risk management is an integral oversight function to help organizations avoid or mitigate situations or events that can harm individuals, groups, or the organization. Risk management is not just about organizational harm, but is also about how services are delivered. Risk management does not reduce risks; it measures and reports risks. It is really simple why you manage risks:

  • To reduce or mitigate liabilities
  • To improve or maintain service delivery

Information risk management is about getting the right information to the right person at the right time while preventing the wrong information from getting to the wrong person at the wrong time. And what we are seeing is that information risk management is still considered a technical issue to be dealt with by IM or IT staff. According to the ISA-ANSI publication The Financial Management of Cyber Risk, most enterprises categorize information security as a technical or operational issue to be managed by the IT department. This misinformation is being fed by outdated corporate structures and the lack of an overall strategy dealing with information risk management.

In the ISA-ANSI publication, they indicate that the Chief Financial Officer (CFO) as opposed to the CIO or CISO should be the most logical person to lead enterprise risk management, including information risk management. The problem is one of education and time. To properly inform a CFO, they need to have some background in IM/IT to understand some of the nuisances that make up information technology. Because of the complexity, there is no single person who has that understanding. That is why we must automate risk management to allow the information to be presented in a meaningful way. The Federal Information Security Management Act (FISMA), which was passed in 2002, is now looking toward continuous monitoring or near-real-time risk management so that on a real-time basis, senior executives understand the security state of their information systems.

We need to consider risk management starting at the top. We have all heard of enterprise risk management (ERM). ERM is usually practiced at the board or executive level in making strategic decisions. At the enterprise level, risk management as defined by ISO 31000 (2009) enables an organization to

  • Increase the likelihood of achieving objectives;
  • Improve the identification of opportunities and threats;
  • Encourage proactive management;
  • Comply with legal and regulatory requirements;
  • Improve governance;
  • Improve controls;
  • Better allocate and use resources for risk mitigation;
  • Reduce losses and the impact of risks to objectives;
  • Improve loss prevention and incident management; and
  • Improve organizational resilience.

Information risk management is a part of ERM. Information risk management is about managing the risks to your information. As described by the ISA-ANSI report on the financial management of cyber risk, information risks must be considered at the corporate level and not left to IT. Balancing the availability of information with the right level of access controls to prevent the wrong information from going to the wrong person is important. Understanding the balance between controls and access is critical.

Whether an order is processed, a credit card is used, information is transmitted to a truck to move goods, or a machine executes a set of instructions to complete a job, some information is processed and a transaction occurs. It does not matter if it is a banking transaction, an order transaction, or a manufacturing transaction. There are steps taken to complete the transaction. Getting the right information to the right person at the right time will result in successful completion of the transaction. Getting the wrong information to the wrong person at the wrong time may result in a failed transaction. Worse yet, getting the wrong information to the wrong person at the wrong time represents a liability.

So what do we mean by right information? How about the wrong information? It depends. The right information means something different to every person. We can define right information as information with relevance to a situation or a decision. The information could have positive or negative relevance. Usually we associate right information with making decisions, and with the right information we hope we are making good decisions. Wrong information has a negative context. We can associate wrong information with making poor or bad decisions. And in some context, the information could be good information; but in the wrong hands, such as theft of credit card information, it will represent a liability. We also need to consider that incorrect information will definitely lead to bad decisions. This means that in terms of risk management, we have to manage our information better or else we will make bad decisions based on poor information (Figure 1).

Figure 1. Balance delivery with liability.

Today, much of risk management is very fragmented in organizations. We are still wrestling with IT as a service and information security as a means of preventing liabilities relating to our electronic service delivery. Often, information security is separated from operations and the business is further separated from IT operations. Applications further divide the organization into lines of business, and the expectation that IT can handle all aspects of information service delivery is often misplaced. Risks tend to be managed locally and not globally, causing further fragmentation. Because we are connected to the Internet and we have such a dependency on computers, we need to reconsider risk management both from a horizontal (or enterprise) perspective and from a vertical or business line perspective.

Access to one system in one business area may give someone access to all systems across the organization, and that someone may not be a person you want. We have heard about credit card theft, personal information theft, and intellectual property theft, and it is all happening now on our systems. As we continue to get more connected, have more dependencies on computers, and add social networks to our corporate capabilities, our liabilities will increase and our service delivery will become more complex.

So what liabilities are we most concerned with? And, how do we manage and improve service delivery?

Risks must be put into terms that everyone understands. For an executive managing hundreds of millions of dollars, risk must be in terms of dollars that impact their desired outcome, such as a product, service, or program. What does risk mean to their budget? If a risk represents 10% of their budget when the risk is realized, how much will the executive spend mitigating the risk? On the other hand, if a risk represents less than 1% of their budget, they are less likely to spend a lot of dollars mitigating the risk. And we have to recognize that measuring risk and doing mitigation is not the end. Risks are always changing, and we are in a very complex world. We run very complex systems and have very complex processes. We have to expect that even minor risks that we usually might ignore can cause a major or catastrophic event.

The perfect storm that almost happened was Three Mile Island, a nuclear facility in the eastern United States. The accident started at 4:00 AM on Wednesday, March 28, 1979, with a failure in the non-nuclear secondary system. A second failure in the primary system was caused by a stuck-open valve. Compounding these failures were the inaction of plant operators in recognizing the situation as a loss of coolant. Additional factors were inadequate training and human failures such as industrial design errors. The investigation uncovered a series of events that, by themselves, were not significant. However, the combination of all the events caused a partial core meltdown in one of the reactors. The lessons learned showed how groups of people react and make decisions under stress.

This led, in 1984, to Charles Perrow describing "system accidents" as having two main characteristics: interactive complexity and tight coupling. Once an organization reaches a certain size there is a lot more complexity and uncertainty to deal with as there are more people, systems, applications, networks, end-point devices, and information. The chances of small coincidental accidents causing significant impacts increase. The complexity of The Machine is beyond our comprehension. With billions of devices and billions of messages occurring daily, we cannot predict with any certainty that events in cyberspace will not affect us. And with social networks becoming the norm, we have much more open communications and many more ways of being attacked.

Our resources are limited. Our budgets are limited. Our time is limited. Each year, more is demanded from CIOs. Each year, it is not enough to just run an IT organization; there must be more value back to the organization. We need an overall approach to managing both service delivery and liabilities. How do we make sure that the right information gets to the right person at the right time while preventing the wrong information from going to the wrong person at the wrong time? We start by defining what we mean by liabilities (Chapter 2) and service delivery (Chapter 3).

About the Author

Practical Risk Management for the CIO
From Practical Risk Management for the CIO by Mark Scherling. Auerbach Publications, 2011.

© Copyright 2011 Auerbach Publications