Cyber Security ROI for the CEO - Part Four - Risk Management

 

 

"...'Risk management' is just a fancy term for the cost-benefit tradeoff associated with any decision. It’s what we do when we react to fear, or try to make ourselves feel secure. It’s the fight-or-flight reflex ... It’s instinctual, intuitive and fundamental to life, and one of the brain’s primary functions..."

Bruce Schneier

Bottom Line Up Front

If you cannot in the next sixty seconds state: (1.) What are the business critical processes that comprise success and competitive advantage; (2.) Discuss the concept of "residual risk"; you then need to stop reading until you can.

If you do not know what is critical to your ongoing success, you cannot identify, measure and mitigate the risks to those things.

What we will discuss in this section:

• How to identify, measure and mitigate business risks
• Do you need a "Risk Committee"?
• Managing your "Risk Register"
• Business Risk and Architecture
• Risk Managements dirty little secret, "Residual Risk"
• Resources, where can I get some help?

How to identify, measure and mitigate business risks

What is truly critical to the success of your business (you'd be surprised how many CEO's can't give a qualitative answer to that question). Is it key processes? Supply Chain fragility? Accounts Receivable? Sales pipeline? What, in sixty seconds or less explains your competitive advantage and allows you to dominate your markets?

If it is critical to your business you better understand in no uncertain terms, what are the risks that are associated maintaining "IT" in sufficient quality and quantity. Or... a competitor will make sure to deny "IT" to you.

If you are like most business's, you think your "stuff" is critical to your business but in all reality, your processes are where your competitive advantage is, not a software application. Software applications are like Lego's, we snap them together to create business processes that get work done. Our customers feel these processes, accounts receivable reflect customer satisfaction with these very same processes.

Do you know, really know, which business processes are key to your success?

Once you know that, you can document them. Once you document them, you can look for the way information flows between software applications to enable the smooth operation of those same processes.

Then you will be able to see the unfortunate fragility of those same processes...

Once you document the process and information flow, you will where the risks are...

Once you can see the risks, you can quantify them and make qualitative business decisions to mitigate the risks...

Sounds simple? If only...

Why you need a Risk Committee

Misery loves company, and your risk committee will be the additional duty that no one wants, but, where the real power in a business rests. Mountains will be moved when the Risk Committee makes a decision.

Trust me... you want to have a seat at that table.

If the Risk Committee makes a decision to mitigate the risk of the companies flagship customer facing Web Portal, like magic, there will be budget money for those tasks. And Board Room exposure for the CISO or CIO smart enough to grab a seat on the Risk Committee.

The Risk Committee hears the arguments then "...calls the ball...", everyone lines up to deliver. It's like David Copperfield at Caesar's Palace, amazing!

Managing your "Risk Register"

Also known as feeding the Beast (the Risk Committee Beast).

I keep a Risk Register as the CISO (I privately refer to it as the "...things to fix..." list), see the graphic below...

I maintain an entry for each risk like the one above and encourage the folks on the leadership team to add items at will. Each entry clearly shows the business driver, cost and ROI, a perfect Board Room discussion starter.

Let the Risk Committee prioritize the items in the Risk Register and let the Risk Committee fund mitigating those very same risks.

Business Risk and Architecture

If you are building your Risk Register, facilitating discussions within your Risk Committee to validate and prioritize the items in the Risk Register, your next step will be to take these decisions and organize them into Architectural Standards (driving budgeting - based on the decisions of the Risk Committee) for implementation by IT and Cyber Security to proactively mitigate future risks before they can occur in future projects...

While you're at it, talk to the CFO about adding some standard "terms and conditions" to future contracts in support of Risk and Architecture... this is getting exciting!

Read that last part out loud... "...proactively mitigate future risks...". Now we're onto something...

Risk Managements dirty little secret, "Residual Risk"

Just when we thought it was going so splendidly, someone brings up "residual risk"...

Residual Risk is that risk that is "...left over...", not addressed at this time the project goes live. Discovered a few weeks before Project Launch, it's a last minute risk that someone needs to "...own..." until it is mitigated.

Whip out a Plan of Action and Milestones [P.O.A.M.] template, find a stakeholder / project sponsor and sign them up to own the residual risk and report on it to the Risk Committee, you'll find that these residual risks get cleaned up promptly with a Risk Owner and mandatory participation at the Risk Committee.

Resources, where can I get some help?

There are numerous folks eager to assist you with Risk Management, below are only a few recommendations:

As is the case in most instances, the National Institute of Standards and Technology - Computer Security Resource Center or NIST-CSRC has got your back.

NIST Special Publication - 800-39, "Managing Information Security Risk: Organization, Mission, and Information System View"

NIST Special Publication - 800-37 Rev. 2, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy"

NIST Special Publication -800-30 Rev. 1, "Guide for Conducting Risk Assessments"

Cyber Security and Infrastructure Security Agency - has some great capabilities for the Public and Government sectors. https://us-cert.cisa.gov/ics/Assessments

Your local ISACA chapter can also assist you. https://www.isaca.org/

Next Steps

If you have questions or comments, please let me know: the_Secret_CISO@Protonmail.com

Cyber Security ROI for the CEO - Part Three - Compliance & Audit

"...There has to be a regular performance audit to do a comprehensive analysis to determine how the funds are performing. We can't come to the bargaining table without both qualitative and quantitative performance metrics..." - the Author 

 

BOTTOM LINE UP FRONT: Compliance and Audit are expenses, yes, they are necessary and yes they can drive quantitative and qualitative value for the business, however, done without business acumen, they are almost always perceived as disruptive and overly costly for the business you serve. 

In this installment of the series, we'll discuss how to strike a meaningful balance, bring value via automation, and increase engagement and awareness with your Business Leadership Team. 

What we will discuss in this section: 

• Who should develop a strategy for Compliance and Audit success? 
• Do you need a "Compliance and Audit" committee? 
• Do you need Compliance and Audit SDLC gates in your IT processes? 
• Who will call the ball between IT and Cyber Security Disagree (yes, they will disagree) 
• Maximize automation in your compliance requirements? 

 
Why you should develop a Compliance and Audit Strategy 

You need a way to relentlessly streamline your methodology for dealing with both internal and external auditors: as the saying goes, the best defense is a good offense. Developing a solid strategy for proactively giving the auditors what they require will reduce uncertainty within your IT organization and allow your teams to prepare audit artifacts as a normal course of doing IT business, this is a big value add to the business you are supporting, your auditors and your team members. Reducing uncertainty, allowing the IT teams to gain confidence with the generation of their assigned audit artifacts, confidence thrives in an environment where there are clear performance goals that support business drivers. 

Do everything in your power as a Leader to make Compliance and Audit support tasks (the generation of audit artifacts), part of required day-to-day IT team operations. Granted, it will be a change, however you can in the end, quantify the value of your approach to the business leadership team in dollars saved - you'll receive desirable cudo's for managing your teams like a business, and for proactively supporting the business. 

The business leadership team will forever look at you as a more valuable Leader - and that's what it's all about. 

Why you need a "Compliance and Audit" committee. 

Everything we do in Information / Cyber Security requires business buy in. Most folks in the business leadership team do not understand Security and in the back of their minds they see Governance, Risk, Compliance, Privacy and Security [GRCPS] as costs to be contained. 

This is natural, you should be aware of this and always work to increase executive awareness of the GRCPS Teams proactive role in cost containment - in all areas of the GRCPS System Development Life Cycle. 

By working with the business leadership to champion the creation of a joint, Business and Security "Compliance and Audit" Committee, you bring the business to the forefront of informed decision making for GRCPS requirements. 

By doing so, your frustration level for all things GRCPS will plummet as the business takes a leadership role in prioritizing and funding GRCPS initiatives for you. 

Let that sink in for a few minutes... 

Why you need Compliance and Audit SDLC gates in your IT processes. 

EXAMPLE: We've been patching systems since the 90's, going on thirty years now, we should be very good at patching! You most likely have a well refined process for patching each family of IT assets that support your business. Why not leverage and enhance these time tested processes to enhance the generation of audit artifacts for your GRCPS requirements? 

If you're using NIST 800-53 as your governance framework (or another time tested framework like ISO 27001) you know that there are a variety of "...vulnerability and patch management..." related controls that benefit from some well documented "stuff": 

• Having a control owner assigned 
• Having a control manager assigned 
• One of these: a detective control; a preventative control or a procedural control - for every "control requirement" 

By mapping your IT tools to your compliance families and identifying audit artifacts that each tool is capable of generating, you can set a goal to have the tool automatically without labor dollars, generate high quality audit artifacts that are stored in a secure location for the auditors to review at their leisure. 

Let's look at the business advantages of this strategy: 

• This will reduce the actual IT workload, audit artifacts that are generated without employee labor free up employee labor dollars to be repurposed for other tasks. Be sure and brief that to the business. 
• This will break the cycle of the auditors showing up and billing your business to nag IT employees for audit artifacts. 
• This will save alot of normal audit costs. Be sure to brief that to the business and to find a way to quantify the savings! 
• By assigning an individual contributor who is responsible for the day-to-day operation of the tool that generates the audit artifacts as the "Control Manager" with the added responsibility of maintaining the "procedure" documentation, those documents should be always updated and relevant. 
• By assigning a Manager as the "Control Owner", they will provide valuable oversight and quality control functions in support of your GRCPS program and the IT SDLC process "gates" that support the generation of audit artifacts. 

Who will call the ball between IT and Cyber Security Disagree? 

All of this change will make some folks hackles go up, no one likes change... the mantra of "that's the way we've always done it..." (also known as entropy) is a powerful de-motivator. 

How do you break this log jam without becoming a pariah? 

Glad you asked! You have a Super Power to help with that... bring these entropy events to the "Compliance and Audit" Committee, let the business hear the arguments, pro and con then let the business have the final word. 

You are just the messenger here, the Business Leadership Team has the absolute responsibility to manage resource allocation to drive risk management and profitability - those are powerful motivators - let the business make the decisions, then carry out their decisions. It's never personal (though change feels personal some times) it's just business. 

Maximize automation in your Compliance and Audit requirements 

By taking a long, hard look at your GRCPS and Audit requirements, inserting them into existing mature IT SDLC gates and automating the generation of audit artifacts, you are in essence differentiating yourself from the average Manager and ensuring that the Business Leadership Team sees you as a force multiplier, increasing the competitive advantage of the Business. 

Once you've made this point it will forever change the way the Business Leadership Team looks at you, your value to the Business will increase exponentially. 

The value you bring to the Business as a GRCPS Leader is not by turning a wrench on a tool, it's by effectively managing risk, resources and bringing efficiencies to the forefront in business meetings - help the business understand that you as a Leader can drive efficiency, maximize tool investment dollares, free up IT labor for other more creative tasks and increase competitive advantage, you'll get peoples attention, and I'll wager you'll also get that next promotion with alot less friction. 

You have made the transition from Manager to Leader, not alot of folks in the Technology Teams see the value in doing that, but your Business Leadership Team does...