Speed is vital to assess and manage swiftly changing risks and meet regulatory demands. A matrix-based approach can offer a faster route than traditional, bottom-up methods
IT risk management is no longer an optional extra for business. Unforgiving new regulations, including Sarbanes-Oxley and Basel 2, demand that responsible corporate governance be built on effective controls - and risk assessment is fundamental to controls assurance.
This raises a dilemma for chief information officers. Until now almost all IT risk management methodologies, such as Cram, Sprint and Octave, have been highly structured and even the light versions are extremely complex and time consuming.
Rather than providing prompt answers to critical business security questions, they are geared towards ongoing assessment and management of broad-spectrum business risks.
Some of these programmes take many man-months, even years, to complete. In addition to this extensive time and effort, a change in the organisation is not unusual and as a result, the programme may be abandoned. Consequently many organisations, possibly with the exception of financial services and government, struggle to meet the regulatory bar where IT security is concerned.
However, there is an alternative approach that organisations are beginning to adopt. In today's tough operational environment, CIOs must identify their principal security risks quickly and unequivocally if they are to prioritise countermeasures and direct them where they are needed most. Formal regulatory compliance is one driver, but so too is the need to protect against potentially crippling value destruction by loss of reputation, damage to the brand or legal implications of failing to meet standards.
This alternative risk approach for conducting assessments has already been successfully used by a number of companies, often run in tandem with more classic risk assessment and management programmes. The implementation process is comprehensive, lending itself to enterprise-wide application just as effectively as to individual business processes.
At the outset, business users identify the criticality of their systems in terms of their financial, regulatory, reputational and operational importance, against which the size, complexity, scale, and extent of known problems and the platforms on which these systems are built are also assessed.
Building a matrix that combines this data allows for straightforward, high-level identification of the business systems that represent significant risk for the business. In addition, senior management need to take stock of system weaknesses in line with ISO 7799 standards so they can use this information to ensure security consistently fulfils corporate, customer and legal requirements.
Take two examples. For company A, security around a specific platform has been identified as a major weakness. The matrix has identified several systems that are sat on this platform. Mapping makes it immediately apparent the steps needed to remedy the situation.
At company B, the customer relationship management system has been identified as high-risk given the large amount of confidential customer information that it holds. The ISO 7799 review has identified that there has been no prior emphasis on privacy requirements and so steps can be taken to correct this.
Detailed bottom-up risk approaches still have their place and provide companies with valuable ongoing assessment and management of information security. But, precisely because of the detailed analysis they involve, they are incapable of delivering the prompt risk assurance often required by regulation.
By contrast, a more focused matrix-based assessment enables companies to meet compliance in areas that are important. Sarbanes-Oxley and Basel 2 reporting requirements are satisfied provided that companies have proper control regimes in place, based on reasonable analyses of risk. Focused assessments have other important advantages. Most regulatory pressure centres on financial controls and so compliance can give organisations a one-dimensional view of the risks they face.
However, the matrix-based approach has an extra dimension because it engages the business owners as well as risk and technology managers. This now presents a top-down view of the organisation.
Organisations have to deal with rapid, often unpredictable, change. External events can raise awareness of the need to implement security and controls to assess and minimise risk. In this environment, the matrix-based approach provides crucial information when and where it is needed most.
Alastair MacWillson is managing partner global security practice at Accenture