Don’t be the next Humpty Dumpty

That’s pretty much every CISO’s objective. We’re all perched on narrow walls with no safety net. This was the basis for Vanderbilt Professor Mark Abkowitz’s presentation, “Enterprise Risk Management”, last month at the University Club in Nashville.

Professor Abkowitz is an expert on risk management as it applies to the entire enterprise. I have long been interested in the subject of enterprise risk management (ERM), because C-level executives understand this language, whereas they may not understand information security language as well. If you can position security risks within the scope of enterprise risks you have a better chance of being heard by the C-level. Also, the practices of enterprise risk management have been developed since the time of the Trojan horse, so you don’t have to reinvent the wheel.

The good news is that information security risks cut across all of the four areas defined under enterprise risk: strategic, operational, compliance and financial. For example, strategic risks include loss of reputation resulting from a breach; operational risks include service outages from DDoS attacks; compliance risks include the numerous privacy-related threats to the business; financial risk includes misstated or delayed statements. By positioning information risks in your organization as part of these four business risk categories you will be able to better get the attention of the C-level executives.

I had first gotten interested in Professor Abkowitz’s work after reading his book, “Operational Risk Management.” This book analyzes 18 individual operational risk failures and looks for the common root causes of these events. I am a huge believer in this type of “evidence based risk analysis”. Unfortunately, we don’t have much of this in the information security field, since organizations most often blame “sophisticated hackers” when they experience a breach. The real causes are not shared.

The top 10 causes of operational failures in Abkowitz’s book include: design flaws (has anyone done dynamic testing of the software); schedule constraints (no time for security testing before go-live); inadequate training (your basic 15 minute annual awareness training); lack of preparedness (have you really tested your incident response plan recently); and six other causes. Each of your control objectives is subject to these 10 causes of failure. Understanding them can prioritize remediation and prevent disasters. If you are building a security governance program, the book would be a good read.

Abkowitz’s presentation at the University Club was about ERM, not just operational risk management. I had three takeaways from this talk. They apply equally to ERM and information security. Takeaway #1: enterprise risk management works only if all organizational layers within the company have a role. We have to go beyond “awareness training” and give security responsibility to a wider range of staff.

Takeaway #2: there is a significant gap between what the C-level wants from the security program and what the CISO thinks they want. A study from the “Economist” shows that the top three C-level objectives of the cyber security program are: (1) protection of company reputation; (2) protection of private internal communications; (3) protection of strategic plans and information. According to the security leadership, the top three priorities are: (1) protection of regulated data; (2) protection of customer information; (3) protection of customer reputation. A realignment here could make security programs more effective at the enterprise level.

Takeaway #3: simple dashboards can go a long way to communicating risks to the C-suite. This is well-known in the ERM world, but too often information security gets bogged down in reporting status for hundreds of security controls. The type of dashboard I’m talking about looks like this:

It is basically a traditional risk register, with status and trend lines included.

In conclusion, if you want to avoid being Humpty Dumpty you should take these three actions:

• Find out what your C-level execs consider the most important aspect of your security program
• Find out what your organization considers to be enterprise risks and align information security risks with those risk categories
• Investigate how to simplify executive reporting, without losing the key underlying information