Ready for Risk Management?
Metrics Help Organizations Assess Their MaturityWhen it comes to information security, there are as many ways to go wrong as to go right. That is why, before a financial institution attempts to implement and improve its security risk management process, it must examine its fundamental level of maturity. Is the organization ready for risk management?
See Also: Identity Security and How to Reduce Risk During M&A
According to industry analysts, an organization with no formal policies or processes relating to security risk management will find it extremely difficult to put all aspects of the process into practice. Even organizations with some formal policies and guidelines may still find the process a bit overwhelming. The solution is to take the time to assess your organization's maturity level.
Mike Karp, senior analyst, Enterprise Management Associates, an IT analyst and consulting firm, credits the concept of organizational maturity to Carnegie Mellon University’s Capability Maturity Model (CMM). Karp says maturity has to do with building the capacity to make processes repeatable, that is to say well defined and well documented. Ultimately, you want to end up with processes that are vetted and tested so that they are bullet proof -- though perhaps not foolproof, he says.
“What you need is something you can point to if there is a mistake along the way so you can say ‘Here is what happened,’†says Karp.
Determining Your Maturity LevelWriting in a recent Gartner publication, “Toolkit Tutorial: Assessing Risk Posture and Setting Priorities Using a Process Maturity Tutorial,†analyst Paul E. Proctor outlines a six-step process that can be used to tackle financial service organization security challenges.
- Develop a Process Catalog which involves gathering existing process documentation or, if necessary, documenting processes for the first time -- then setting priorities within this “catalog†for process formalization and for assigning ownership and resources.
- Assess Process Maturity invokes the CMM model to decide which elements in the catalog are mature and which ones need further refinement.
- Develop a Process-Maturity-Based Risk Report focuses on creating “a bridge between process maturity and risk posture.†Because there are no absolute standards for security, Proctor recommends setting up a multidisciplinary panel to make these assessments.
- Decompose the Gaps into Projects puts forth an action plan to address security gaps, with projects focused on elements that can “materially improve the maturity†of a given process.
- Develop a Strategic Plan puts process into the assessment and ensures that purpose and value is communicated within the business.
- Quarterly Reporting provides a schedule.
The report goes on to recommend that implementation be mapped to organization goals. In particular, writes Proctor, you must bring together the right mix of people, and “engage your organization in a manner relevant to your...circumstances.â€
Other ApproachesAnother view of the risk maturity process comes from the International Association for Contract & Commercial Management (IACCM), which has published a report (updated most recently in 2003) titled “Organisational Maturity in Business Risk Management.†That report sets out a 12-step implementation process and identifies four levels of organizational achievement: novice, competent, proficient, and expert. The organization’s degree of competence is measured in terms of four attributes, culture, process, experience, and application.
Organizations at the novice stage tend to be risk averse, lacking in awareness, understanding and commitment and have few working processes in place, little or no relevant experience and no application of any attributes to mastering security. On the other end of the spectrum, expert organizations are proactive -- with an intuitive grasp of challenges and a full commitment to “be the best.†In terms of the process, experience and application attributes expert organizations are adaptive, have considerable experience and qualifications and are applying themselves to master security challenges across the whole business.
The IACCM report, available at http://www.risk-doctor.com/pdf-files/brm1202.pdf, provides a number of matrices and questions that support organizational self-assessment.
Finally, The Information Security Program Maturity Grid, authored by Timothy R. Stacey, and developed for a National Institute of Standards and Technology seminar, lays out five the stages of security maturity, which somewhat resemble those in the IACCM report. They are uncertainty, awakening, enlightenment, wisdom, and benevolence.
Stacey offers his own matrices that can help with organizational assessment, and he proposes five measurement categories for gauging improvement: management understanding and attitude, security organization status, incident handling, security economics, and security improvement actions. This article is available at http://www.infosectoday.com/Articles/82-10-40.pdf
Putting Maturity into PerspectiveWith all the available approaches, most of which share common attributes, it isn’t hard to “get the ball rolling†on a security initiative. However, notes Adam Honoré, senior analyst at Aite Group, a research and advisory firm focused on the financial services industry, “I’m always a little dubious about people going overboard.â€
Honoré explains that, as with CMM, “When people say they are operating at level 4 or level 5, that means they are spending a whole lot of time on process,†which may not always yield proportional benefits. “It really is a common sense issue, no matter what you are bolting on to your organization in terms of methods you have to be smart.â€
Also, notes Honoré ,“If you are talking about self-assessment, certainly many banks are already doing maturity models in one form or another, whether it is within the Microsoft Solutions Framework if they are a .Net shop or perhaps using tools like those from IBM Rational Software.†Banks are also doing many workflow processes around data ownership in terms of how records are sourced and updated, who has rights, who needs to have access and who has ultimate control.
For Honoré, it boils down to three necessary components: Make security thinking part of your culture, eliminate data silos, and foster technical accountability. In other words, he adds, “Use workflow.â€
Still, he admits, “No one wants to be on the front page all the time like the TJX Companies.â€