"...'Risk management' is just a fancy term for the cost-benefit tradeoff associated with any decision. It’s what we do when we react to fear, or try to make ourselves feel secure. It’s the fight-or-flight reflex ... It’s instinctual, intuitive and fundamental to life, and one of the brain’s primary functions..."
Bruce Schneier
Bottom Line Up Front
If you cannot in the next sixty seconds state: (1.) What are the business critical processes that comprise success and competitive advantage; (2.) Discuss the concept of "residual risk"; you then need to stop reading until you can.
If you do not know what is critical to your ongoing success, you cannot identify, measure and mitigate the risks to those things.
What we will discuss in this section:
- How to identify, measure and mitigate business risks
- Do you need a "Risk Committee"?
- Managing your "Risk Register"
- Business Risk and Architecture
- Risk Managements dirty little secret, "Residual Risk"
- Resources, where can I get some help?
How to identify, measure and mitigate business risks
What is truly critical to the success of your business (you'd be surprised how many CEO's can't give a qualitative answer to that question). Is it key processes? Supply Chain fragility? Accounts Receivable? Sales pipeline? What, in sixty seconds or less explains your competitive advantage and allows you to dominate your markets?
If it is critical to your business you better understand in no uncertain terms, what are the risks that are associated maintaining "IT" in sufficient quality and quantity. Or... a competitor will make sure to deny "IT" to you.
If you are like most business's, you think your "stuff" is critical to your business but in all reality, your processes are where your competitive advantage is, not a software application. Software applications are like Lego's, we snap them together to create business processes that get work done. Our customers feel these processes, accounts receivable reflect customer satisfaction with these very same processes.
Do you know, really know, which business processes are key to your success?
Once you know that, you can document them. Once you document them, you can look for the way information flows between software applications to enable the smooth operation of those same processes.
Then you will be able to see the unfortunate fragility of those same processes...
Once you document the process and information flow, you will where the risks are...
Once you can see the risks, you can quantify them and make qualitative business decisions to mitigate the risks...
Sounds simple? If only...
Why you need a Risk Committee
Misery loves company, and your risk committee will be the additional duty that no one wants, but, where the real power in a business rests. Mountains will be moved when the Risk Committee makes a decision.
Trust me... you want to have a seat at that table.
If the Risk Committee makes a decision to mitigate the risk of the companies flagship customer facing Web Portal, like magic, there will be budget money for those tasks. And Board Room exposure for the CISO or CIO smart enough to grab a seat on the Risk Committee.
The Risk Committee hears the arguments then "...calls the ball...", everyone lines up to deliver. It's like David Copperfield at Caesar's Palace, amazing!
Managing your "Risk Register"
Also known as feeding the Beast (the Risk Committee Beast).
I keep a Risk Register as the CISO (I privately refer to it as the "...things to fix..." list), see the graphic below...
I maintain an entry for each risk like the one above and encourage the folks on the leadership team to add items at will. Each entry clearly shows the business driver, cost and ROI, a perfect Board Room discussion starter.
Let the Risk Committee prioritize the items in the Risk Register and let the Risk Committee fund mitigating those very same risks.
Business Risk and Architecture
If you are building your Risk Register, facilitating discussions within your Risk Committee to validate and prioritize the items in the Risk Register, your next step will be to take these decisions and organize them into Architectural Standards (driving budgeting - based on the decisions of the Risk Committee) for implementation by IT and Cyber Security to proactively mitigate future risks before they can occur in future projects...
While you're at it, talk to the CFO about adding some standard "terms and conditions" to future contracts in support of Risk and Architecture... this is getting exciting!
Read that last part out loud... "...proactively mitigate future risks...". Now we're onto something...
Risk Managements dirty little secret, "Residual Risk"
Just when we thought it was going so splendidly, someone brings up "residual risk"...
Residual Risk is that risk that is "...left over...", not addressed at this time the project goes live. Discovered a few weeks before Project Launch, it's a last minute risk that someone needs to "...own..." until it is mitigated.
Whip out a Plan of Action and Milestones [P.O.A.M.] template, find a stakeholder / project sponsor and sign them up to own the residual risk and report on it to the Risk Committee, you'll find that these residual risks get cleaned up promptly with a Risk Owner and mandatory participation at the Risk Committee.
Resources, where can I get some help?
There are numerous folks eager to assist you with Risk Management, below are only a few recommendations:
As is the case in most instances, the National Institute of Standards and Technology - Computer Security Resource Center or NIST-CSRC has got your back.
NIST Special Publication - 800-39, "Managing Information Security Risk: Organization, Mission, and Information System View"
NIST Special Publication - 800-37 Rev. 2, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy"
NIST Special Publication -800-30 Rev. 1, "Guide for Conducting Risk Assessments"
Cyber Security and Infrastructure Security Agency - has some great capabilities for the Public and Government sectors. https://us-cert.cisa.gov/ics/Assessments
Your local ISACA chapter can also assist you. https://www.isaca.org/
Next Steps
If you have questions or comments, please let me know: the_Secret_CISO@Protonmail.com