It’s Time to Take a Fresh Look at IT-Based Risk Management
Last year the FFIEC released a new version of the IT Security Handbook. More than 50% of the handbook now focuses on risk management. If it were a movie, the promotion might be something akin to ‘Ten Years in the Making. The Untold Story of how Weak IT Risk Management Causes Millions in Business Loss.’ Yes, it took a decade for the FFIEC to research and release the handbook, a decade in which the terms ransomware, anti-virus and patching became commonplace. It was a decade that painfully proved that enterprises, whether financial or technology-focused, had to face the fact they needed a risk management infrastructure to plan defenses against an ever-changing threat landscape.
Over the decade, as the FFIEC took a comprehensive look at a historically complex issue, financial institutions continue to think of risk in terms of financial loss. The untold story is that IT risk hasn’t been adequately addressed. Threats to IT infrastructure are capable of generating significant losses, even for banks.
The FFIEC has made it clear that a consistent risk management program is a key factor in improving the IT security and overall risk mitigation in regulated institutions. The reality is that risk management practices in all types of organizations can stand a tune up. Good risk management practices include a thorough scrutiny of different types of threats, which are the potential that a security breach may happen; an assessment of vulnerability, which is the measure of exposure; and evaluating risk, which is the measure of loss due to the threat happening. IT activities must be evaluated as a source of some of these threats, such as accessing a website that leads to system compromise, and as a solution by enacting security measures that can mitigate loss.
To combat the types of threats common today, such as phishing, viruses and ransomware, a risk management strategy has to be IT-driven. Organizations are well advised to examine risk management best practices and see how these practices can be better integrated with IT and help them improve risk mitigation.
The Outside Looking In Doesn’t Work.
Often, a risk management discussion starts with a company asking their IT security people to hire a consultant, who asks a bunch of questions, then creates a ‘risk assessment’ sheet and comes back a year later to ‘re-assess.’ This is far afield from what an effective risk management strategy looks like. Here are some best practices to consider for a more complete and powerful risk management initiative:
- Designate a point person. Each organization must have a dedicated person responsible for risk management, and that person must have authority from the CEO. Unlike the consultant approach, risk management is a process rather than a single point assessment. This continuous process needs an individual to manage the execution of risk assessment, evaluation, strategy and mitigation. A ‘hands-on’ approach is paramount to success and to being able to shepherd changes in strategy quickly and effectively.
- Begin at the beginning. Another overlooked best practice is to invest the time it takes to create a complete risk management program that is contains an execution path for IT and includes a cost-benefit analysis for each identified threat. ‘All threats are not created equal’ is a good philosophy to embrace. The first order of business is to create a risk register, identifying the threats that are most pertinent to the business and have potential to do the most damage. A comprehensive list is not what we are after, but a prioritized, smaller list of the highest priority threats will provide you with a focused set of mitigation activities that will put real value into the business.
- Put a finer point on it. With the myriad of threats that an organization can be exposed to these days, organizations have to put these into risk categories, to have a manageable program. Providing metrics in terms of likelihood and impact will help prioritize risks and allow IT to concentrate on those most meaningful to the enterprise. Calculating loss potential, probable frequency of loss, and the cost of unmitigated versus mitigated risk is a good start.
Fighting the Bad Guys.
Once an organization has its list of high-priority threats, executive management must identify a mitigation strategy for each threat. This activity defines the enterprise’s risk tolerance, and therefore cannot be delegated to lower levels in the organization. Typical risk mitigation strategies are as follows:
- Risk Acceptance: An organization can choose to accept the impact of a risk. Basically, the risk is in the risk register but no particular action is taken. It is important to document this so that when a loss event occurs, there is a reminder that executive management made the decision that this was okay.
- Risk Avoidance: At the other end of the spectrum, risk avoidance means taking action to avoid any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options and comes into play for mission-critical functions that are at the front lines of risk exposure.
- Risk Limitation: The most common risk management strategy used by businesses, this strategy employs a bit of risk acceptance along with a bit of risk avoidance. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by making and managing comprehensive backups on a regular schedule.
- Risk Transference: Risk transference occurs when risk is handed off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. Outsourcing transfers some, but not all of the risk, associated with operational activities. This can be beneficial for a company if a transferred risk is not a core competency of that company.
News Flash: There’s No End Game!
One of the dangerous pitfalls is thinking a risk is ‘over’ or a mitigation strategy, once constructed, is ‘done.’ After calibrating various forms of risk, controls must be identified and implemented, much like a regular change management program. It’s important to have a really good workflow around the process to support IT implementation measures such as patching, application control and privilege management. Just like any other process, the activity needs to be revisited on a periodic basis to make sure that 1) the controls identified are being executed and 2) the controls actually mitigate the threat identified. The first activity is called governance and the second is called audit.
Auditing is a best practice that will measure how effective and complete the control implementation is. Compared to one-off external assessments, auditing is an ongoing process that can help IT flag controls that are less effective. Note that the audit process is cyclical. When an audit is complete, it’s time to start over again with the specific risk and reassess.
By taking the time to carefully examine high priority threats from the aspect of probability and cost, and by thinking in terms of how IT can mitigate risk, an organization will have a stronger risk management program in line with today’s risk environment.