This is Part Three of a Six-Part blog series on Cyber Risk Management from guest blogger Simon Goldstein
Senior Executives perform an important role in any effective cyber risk and security program. They are the executors of the governance function. They provide direction, resources, and policy leadership. They are neither a rubber stamp, nor simply a bureaucratic burden. They have the best possible position to view the whole playing field and can offer clear insight and support to strengthen your risk program efforts—if you engage them as partners, active participants, and facilitators.
Too often program managers view Senior Execs as adversaries to circumvent; narrowly focused on cost savings, a bureaucratic bother they must placate through “good news,” intimidate with dire consequences, or coddle as too ignorant of the technology involved to understand or appreciate the complexities and nuances of cyber risk management in today’s fluid environment. These approaches are a mistake that directly weaken your program’s potential and operating strength. Let’s discuss what your Senior Exec needs to know, why, and how rich information flows empower them to fulfill their roles in your comprehensive cyber risk management program and contribute to its success.
First you must define the program’s dimensions; specifically, its scope and its boundaries. These may be geographical, operational, organizational, technological, or some combination of attributes. In some cases the boundaries may be partially proscribed by differences in the extent or maturity of your program’s reach, technological sophistication, or variations in perceived threat potential. Defining these perimeters and subordinate attributes helps clarify the playing field and establishes context for your risk program activities, its resource requirements, and in monitoring detail. Scope and boundary attributes set a concrete foundation for evaluating your program’s design and component offerings, identification of relevant policies, regulatory obligations, impacted processes, and resource expectations. For Senior Executives this also helps place the effort on their priority scale for attention, engagement, and active participation. It helps define and shape Senior Executive roles within the cyber security program. And, these scope and boundary parameters also begin to set an appetite for information quantity and quality.
One challenge IT risk, and cyber risk in particular faces is the challenge of terminology, business meaning, and impact. Too often, cyber risks are presented on a two-point scale: trivial and catastrophic, with the latter often portrayed as leading to events and outcomes just short of the doom of humanity and the end forever of freedom, candy, and dessert. This is a dysfunctional practice that shades everything in the risk program as derived from a “sky is falling” mentality. And without some orientation in context to business operations, obligations, goals and results, risk representation rapidly loses meaning, impact and value to Senior Executives and all leadership in general. Here’s where organizing frameworks can truly overcome and prevent these issues from depreciating the value of your risk program.
Frameworks do more than provide a means to organize activity and data. They also assign terminology and meanings that are expressed in lay business terms. They infer means of rating and measuring risk. Frameworks describe roles and recommend processes and sequences to fulfill described activities. They help technical and operational risk professionals conjoin their efforts with those of more traditional business disciplines such as financial or reputational risk so that a comprehensive enterprise risk portrait may be presented that’s meaningful to business leaders and relevant to its goals. Frameworks also help assure some sense of completeness through their own content, allow for customized classifications of activities and data in a manner that supports industry and generalized comparisons, and provide a lexicon of terms and language useful to meaningful risk discussions without requirement for detailed technical expertise.
Figure 1: NIST Core Framework Functions
These attributes foster effective, topical information exchanges between Senior Executives and their staff. That allows freer discussion and more useful engagement at Senior levels of your organization. They do not need deep technical capabilities to discuss the overall state, summary plans, and corrective efforts for any of these core functional categories.
Frameworks organizing features also allow an enterprise to decompose and assign its own internal standards, and its regulatory obligations across an organizing framework. Doing so fosters efficient compliance and governance. It also helps identify opportunities of repetition that can be consolidated for efficiency, or internal standards out of alignment with framework provisions, regulatory requirements, risk objects, or all the above. The framework is a tool easily leveraged for consistent, efficient governance, and, as we’ll discuss in a moment, lends itself to more meaningful reporting too.
There is no single “right” way to manage risk that fits every corporate situation, risk footprint, and resource capacity. But there are recommended activities and to some degree each must be addressed by a comprehensive program. These include the efforts needed to achieve meaningful information with respect to core Functions, such as NIST 1.1’s Identify, Protect, Detect, Respond, and Recover. There are also some performance steps basic to managing risk and fulfilling the expectations of those core functions. NIST defines them in seven (7) steps:
There is nothing magical nor profound here, but these steps of understanding the scope and goals for a program, evaluating the current state of affairs, determining a preferred state, establishing targets, designing plans to close gaps to the preferred state, and monitoring progress are fundamental management practices. But, they are as relevant for managing risk, including cyber risk, as they are for other disciplines. The uniqueness is in the underlying specifics and details.
Comparing the current and target states is one of the most important, but often challenging activities. Why? While it’s fairly straightforward to determine current state, assigning targets is often open to philosophical debate. No, the simple answer is not to presume the target is always the ideal, or even the “5” on a scale of 1- 5. The “ideal” (often a hypothetical generic state) will differ with each organization, its overall risk perimeter and footprint, and its resources. There’s nothing ideal about specifying a target that would cost $20,000,000 to implement when the firm’s annual operating budget is $2MM. Nor does including comprehensive measures to address open source code, or cloud computing if neither are part of your operation, or that of your partners or extended service providers. So, determining target states requires the same reasoning as determining goals and budgets. Targets need to be mindful of goals, mission, customers, and strategies. It’s a great place to incorporate input from your Senior Executives, given their field of company and industry viewpoint and likely understanding of core capabilities and resource constraints. Their collaboration and shared ownership of targets add meaning to the reporting they’ll review along the way, making the process of adjustment, where appropriate, more nimble and efficient.
Frameworks also help place context and relevance into remediation status reporting, year over year trending or risk states and leading indicators gleaned from operating data. That’s why choosing the framework to follow for your program and your organization is important. It must be one that readily adapts to model the actual functions and operations of your enterprise with as precise a fit as can be made. Customization is built by design into most strong frameworks, so this should not be too difficult a challenge. But do try to avoid the pitfall of viewing a framework as a surrogate corporate “religion”. There must be room for flexibility and extensibility, so as technologies, regulations, operations and people change the program and the framework can flex without breaking or creating contradictory or incompatible business scenarios.
Let’s not forget about the power of useful reports. There should be a regular, standardized set of reports that help Senior Executives understand the current state, actions planned or in progress, and a calendar of expectations they can follow. Frameworks can imply or specify reporting structures through the context of core functions, or the prospective of key process steps. The calendar helps Seniors plan resources for activities that are intensive to minimize operating disruptions, and it sets an expectation for program deliverables.
Whatever framework you adopt, be sure to include your Senior Executives in the recommendations and determination process. Doing so will lay a strong foundation for your relationship and will allow Seniors to assert some ownership early on in the direction, shape, and substance of your risk program. This will pay strong dividends throughout the time to follow as your program, founded in collaboration and cooperation, begins to grow and mature.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.