There is a growing awareness among IT professionals that IT governance, risk and compliance (GRC) needs to be aligned more closely with the business. According to contributors to a series of Computer Weekly Security Think Tank articles, a bottom-up approach to risk and compliance allows the IT department to filter relevant business risk metrics up to executive decision-makers at the top of the organisation in a language they can understand.
An operational – or bottom-up – approach tends to value having each and every business unit taking responsibility for risk management. Simon Persin, director of Turnkey Consulting, says this operational approach assumes that if all the risks are captured and filtered at the lowest relevant level, those that are of greatest impact will naturally, or systematically, be visible further up the chain.
“It depends on risk management processes rather than technology,” he says. “To be effective, it requires risk managers at the operational layer to be aware of the business’s strategic objectives and understand how these are impacted by their identified risks. Similarly, risk managers need clarity on the way that risks should be identified and classified. Without this, the risks may still be inconsistent and the overall clarity reduced.”
Persin believes that rather than raising strategically important risks from the lowest level in the business, the key is to understand which risks are important to each particular function.
“Those at the top of an organisation are interested in business strategic risks that will have a material impact on the ability of the enterprise to trade or grow according to its strategy,” he says. “Many different aspects will impact these risks. Some – process efficiency, for example – are controllable from within the company, and some, such as government policies, are not.”
According to Persin, operational decisions require detailed information about risk. However, he says these risks tend to be more generic in nature and informed by more detailed activities that may be taking place further down the line, where objectives and perspectives will be very different.
“Far more granular information is required to make a more operational decision based on the risk at hand,” he says.
For example, when there is an IT system failure, Persin points out that a strategic top-down view may be as simple as reviewing whether IT assets are sufficiently controlled for the business to operate, or if they are at significant risk of compromise.
“While this is a noble question to ask,” he says, “it is not sufficient to meet operational resource planning, where much more detailed information may need to be factored in: which operating systems are running on which assets; the assets that are affected if a vulnerability is found; what data is stored on which server and the risk that poses if it is impacted.”
The impact of system metrics
As IT systems become more software-defined, metrics and data can be collected and processed in a near real-time basis, says Eoin Keary, CEO of Edgescan. This leads to a software-defined approach to governance, which, he says, can help organisations support an integrated risk management strategy.
A software-defined approach provides an overall view of risk and governance from a single standpoint, which can in turn result in rapid response and ease of oversight in an organisation in continuous flux.
Read more about integrated security and risk management
- Eoin Keary looks at focusing on metrics to manage risk.
- Maxine Holt discusses why risk is unavoidable in digital transformation.
- Simon Persin looks at an operational approach to integrated risk management.
- Deshini Newman discusses the need for security professionals to embed security in their risk strategy.
- Richard Hunt discusses why risk management must go beyond spreadsheets.
According to Keary, understanding and having the correct metrics assists with strategic and operational decision-making. Analysis of these metrics informs the governance strategy, while real-time metrics support operational governance. “Information security professionals can assist by focusing on metrics, as we can’t improve what we can’t measure,” he says. “Many metrics of value in the information security world actually overlap with risk management and overarching strategy. Items such as system stability, usage downtime, vulnerability density and time-to-fix can be used to assist with focusing one’s budget on doing the right things to move the dial in a positive direction.”
What then becomes important, according to Keary, is for information security professionals to look at correlating and integrating these metrics with other business-as-usual aspects of the organisation. “Metrics and alerting integrations can provide strategic ‘food for thought’ and assist executives in considering where to allocate budget and resources,” he says. “For instance, a business unit with a high vulnerability count may require training or improvements to maintenance or deployment. By detection of the symptom we can try to understand the root cause and act accordingly.”
In Keary’s experience, the traditional approach to governance and compliance – where the organisation receives audit reports from internal or external consultants, tracks the discovered non-compliant issues, fixes these issues, then repeats the audit – is just way too slow to keep pace with the rate of change in a contemporary environment.
Tips for taking a metrics-driven approach to integrated risk management
An integrated metrics-driven approach based on analytics can change the posture of an organisation significantly, says Eoin Keary, CEO of Edgescan. He suggests the following metrics can assist risk governance.
- Development security touchpoints and toll gates: Gather metrics relating to security failures early on in the system development lifecycle. Earlier detection is cheaper and more effective. Root cause identification can assist with quality and compliance – and also security posture.
- Simple fixes can result in huge dividends: Tracking security posture of non-compliant live systems – for example, systems not configured correctly or systems which require patching. Trying to answer questions such as “why, how, where” in terms of misconfigured or neglected systems. Measuring time-to-remediate (TTR) is a by-product of this.
- Mean time to remediation: Measuring how quickly system vulnerabilities are being fixed and if they are being fixed at all. Many compliance requirements demand continuous improvement and evidence you are taking compliance seriously.
- Establish asset inventory: Automated continuous profiling can aid updating an asset inventory in near real time. Visibility and scope are a common root cause for non-compliance or breach.
Keary says an integrated approach overlaps governance, compliance and IT security. “We can analyse high-level trends and drill deeper into technical and root cause of symptoms which provides us with both operational and strategic views of the same issue,” he says.
The challenge is that while metrics are highly relevant for an IT asset-driven risk management approach, and may contribute directly to the operational risk of not meeting compliance objectives, this data is not directly useful at an executive level. However, just because a risk is defined in technical terminology, does not mean it is not relevant to business. “It may identify a business-killing event such as a cyber attack or zero-day vulnerability,” says Turnkey Consulting’s Persin.
On the other hand, technically focused individuals may raise legitimate strategic business risks, but generate a false impression of their criticality because they are important to them, or define them in terms that are overly technical for the organisation overall.
“The key is to have the right filters in place to allow information to be centrally captured, while also ensuring there is a coherent understanding of the risk, wherever it is sourced,” adds Persin.
Top-down, bottom-up risk management
A top-down approach to integrated risk management requires the executives and management layer to source accurate information and view it in a consistent manner to make appropriate decisions. In contrast, an operational, or bottom-up, approach tends to value having each and every business unit taking responsibility for risk management.
Persin says joining these two worlds is the crucial element of an integrated risk management approach.
“It’s not about everyone knowing everything about the whole of the enterprise; rather it is about each individual business understanding how it is part of a whole and where it has an influence. People should be able to raise risks where they’re identified, but avoid flagging them for the sake of it – in an organisation that is culturally risk-averse, for example, or to protect their reputation if there are related issues at a later date,” he says.
“In most cases, the optimal solution is a centrally run risk management function that has inputs and representation in all business units to inform on the risks. They can then act as a filter, spot duplication and help to facilitate the integration into the wider strategic agenda.”