Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Nikki Haley didn't see information risk management as a key part of her job when she was sworn in as South Carolina governor two years ago. But a breach of the state tax system, in which a hacker exposed the records of nearly 4 million taxpayers, changed all that.
"When something goes wrong, that's when you notice," the governor says.
Whether out of a sincere sense of duty to serve her constituents or a calculated move to save her political neck to placate angry voters, or both, the breach catapulted Haley into a position of leadership on safeguarding the state's digital assets. It's a choice most chief executives don't make voluntarily - and that's a mistake (see The Infosec Education of Nikki Haley).
In light of growing threats and the increasing complexity of information technology, organizations - whether in the public or private sectors - must get everyone in the enterprise, especially its top leaders, involved in assessing and managing information risk (see: Top Threats: The 2013 Outlook).
An effective approach to risk management must go far beyond siloing the management of risk within different departments. And when assessing and managing risk, steps must be taken to ensure that everyone is using the same lingo to avoid getting tripped up by jargon.
Organizations that lack an effective, updated enterprise risk management strategy place their missions - as well as their bottom lines - in jeopardy.
"Information risk management is a business function, not a technology one," says Ron Ross, a fellow at the U.S. federal government's National Institute of Standards and Technology and a top authority on information risk management (see Risk Management Framework: Learn from NIST).
And, as a business function, every key player in the enterprise - including the CEO, business-process owners, IT and information security executives and managers; individuals who design and maintain systems; as well as those who acquire technology - must be involved in the risk management and assessment process.
Selected representatives of these key players should form the team that will conduct the risk assessment.
The team must identify threat sources and vulnerabilities and determine the likelihood of occurrence and the magnitude of their impact on the organization. It's vital that the team communicate regularly their findings to others in the enterprise, especially top executives and business-process owners. And they must regularly update risk assessments because threats, vulnerabilities and systems change.
To underscore this approach, in October, NIST issued the latest version of its risk assessment guidance, Special Publication 800-30.
Other guidance is available from the International Organization of Standards and the International Electrotechnical Commission, which jointly published a guide on risk assessment techniques, ISO/IEC 31010. And ISACA, a global association of IT audit, risk, governance and security professionals, offers risk assessment guidance through its Risk IT Framework publication.
The threat landscape is evolving rapidly, and that's having an impact on the way organizations function.
The ongoing spate of distributed-denial-of-service attacks against U.S. banks has meant millions of customers couldn't transact business online. That kind of disruption can have an impact on a business' bottom line and reputation (see The New Wave of DDoS Attacks: How to Prepare and Respond).
Supply chain disruptions could result in tampered computer components being installed in information systems to allow nation-states, cyberthieves or competitors to pilfer trade secrets and other intellectual property (see Ensuring Integrity of IT Supply Chain).
New forms of malware - ransomware, for instance - scare users to surrender sensitive information.
As a result of these and other new threats, senior executives need to champion initiatives to safeguard their institutions' digital assets. "The general leadership needs to take responsibility for information security and privacy," says Carol Holcomb, who leads PricewaterhouseCooper's risk assurance data protection and privacy practice. "The CEO and CFO need to set the tone."
Information risk is perceived as a growing challenge because of how it can disrupt the everyday activities of businesses and governments.
A generation ago, many organizations recognized the importance of information systems to the functioning of the enterprise, symbolized by the creation of the job of chief information officer. As the threat landscape has intensified in recent years, a growing number of C-level executives have come to understand that addressing information risk management is as critical to the health of the enterprise as addressing other types of risks. And they've incorporated IT risk management into a broader field known as enterprise risk management.
A Broken Process
Enterprise risk management is an attempt to get beyond siloing the management of risk in organizations within different departments. But many organizations have yet to take this updated approach.
"The risk assessment process is broken, largely because the people doing the risk assessment have compartmentalized skills and are doing compartmentalized risk assessment, yet it gets advertised as something more substantial when the results get rolled up to management," says Brian Barnier, a task force member at ISACA, an association of information system professionals focused on audit, control and security. "You've got people with silo skills doing siloed assessments, and people are relying on them in ways that are inappropriate."
New technologies - mobile, the cloud and social media, to name a few - are driving organizations to incorporate information risk into enterprise risk management. "It's especially the case now that more and more companies have employees with mobile devices that are connected to the system that can be lost or stolen," says David Bradford, publisher of the annual benchmark survey produced by RIMS, the risk management society. "What has happened is that more and more companies are creating committees that span the organization to address data security issues, and increasingly that includes the risk management department."
There's also a growing recognition within the risk management community that organizations cannot break apart various components of enterprise risk - financial and information, for instance. "There's just way too much spillover between the different types of risk, and to not look at it in a holistic sort of way leaves yourself open to really not understanding what the risk profile of your organization is," Bradford says.
Enactment of the Sarbanes-Oxley Act a decade ago represented a sea change in risk management and assessment. The law held top management and boards of directors legally responsible for the accuracy of corporate financial statements. That forced CEOs, other top executives and board members to become more engaged in enterprise risk.
The Securities and Exchange Commission issued guidance in 2011 for how publicly traded companies should disclose information risks and incidents in their government filings. And that's prompted many companies to expand risk responsibilities to their top leaders. "We've actually seen a trend lately where companies are forming a risk committee at the board level," PricewaterhouseCoopers' Holcomb says. "You want people who can really understand risks that go across the organization," she says.
Neglecting to involve top executives and board members in information risk management endangers the entire enterprise.
Executives and board members place themselves in a bad position if they don't hold their organizations' chief information officers and chief information security officers accountable, says John Muir, managing director of the Security Innovation Network, or SINET, a business that links providers, researchers and users, including the U.S. federal government.
Lost in Translation
But involving technology specialists, senior executives and others in information risk assessment requires that everyone speaks the same language, something that is easier said than done.
NIST's Ross says he's seen requests for proposals issued by government agencies that provide detailed technology requirements but also add that they must be FISMA compliant, referring to the Federal Information Security Management Act, the federal law that governs IT security in the federal government. FISMA, with its innumerable elements, may be in the lexicon of CISOs, but it's not necessarily understood by others.
"Acquisition people don't speak FISMA," Ross says. "FISMA compliance means a thousand things when you peel back and look at all of the NIST standards and guidelines that are sitting behind that."
Technologists must explain the details behind regulations so others in the enterprise understand how they have an impact on the organization, Ross says.
Collaborating on Risk Assessments
By not creating an environment that encourages multidisciplinary teams to collaborate to assess risk, organizations can face adverse financial consequences.
In healthcare, several federal investigations of small breach incidents have led to big fines because organizations lacked a current HIPAA-required risk assessment, and, as a result, also lacked plans for mitigating risks.
The Department of Health and Human Services' Office for Civil Rights issued a $1.5 million HIPAA penalty against Massachusetts Eye and Ear Infirmary, a Harvard University-affiliated specialty hospital, as part of a settlement agreement following the investigation of a breach involving a physician's stolen unencrypted laptop. In a similar case, the office issued a $1.7 million penalty against the Alaska Department of Health and Social Services. That investigation was triggered by the theft of an unencrypted storage device.
"These cases show that risk assessment continues to be a priority for the Department of Health and Human Services," says attorney Adam Greene, who formerly worked at the Office for Civil Rights. "Small breaches will lead to big problems if OCR's investigation finds insufficient risk assessment."
But the financial risk stemming from the lack of adequate risk assessment goes beyond potential government fines. As cybercriminals become more sophisticated, an enterprise's entire business could be placed in financial jeopardy.