Risk matters…so does trust
By Bryan K. Fite, BT Assure US & C Portfolio Manager
Many organisations do not manage risk in a holistic way. Rather, they maintain silos of risk-management activity that often use completely different methodologies and tools to model and treat risk. Security Operations, Audit/Compliance and Business (think CFO and Board of Directors) are the silos most seen in the wild. This structure may have worked in the old world when being the guy that said ‘NO’ was enough but this is not the case in the age of Bring Your Own Device (BYOD), cloud computing and regulatory compliance. However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalising the way they express, communicate and treat risk.
Risk management is a bit of a misnomer. It should be called risk and reward management; that is how business decisions are made. To get your seat at the table you must speak in terms the business understands — which is good old-fashioned cash. By adopting a normalised and accepted language the security professional can communicate more effectively with those who control the budgets and dictate policy.
What’s trust got to do with it?
The evolution of information security within large organisations has followed a linear and predictable path. Organisations with prescriptive control requirements, rigid policies and arduous risk-management practices were perfect candidates for ‘outsourcing and offshoring’ with little to no change in corporate governance or culture because the business viewed these functions as commodities. To stay relevant and competitive organisations need to develop a new capability. They need to develop the ability to measure and justify trust.
The confidence leadership has in its organisation’s security programme comes from a combination of control and trust. The more control an organisation wields the less trust required and vice versa. New business challenges require a new way of managing risk and reward.
- BYOD — trust your users.
- Cloud computing — trust your providers.
- Regulatory compliance — trust your controls.
By adopting common risk-management metrics, innovative controls and trust management techniques CSOs and other security practitioners can survive and prosper in the age of cloud computing and shared services. This will allow for a holistic view of risk across the organisation ensuring that limited budgets are allocated in the optimal way. The ultimate goal is to determine your organisation’s appetite for risk and to facilitate the cultural move from a ‘zero risk’ mentality to a ‘risk resilient’ mentality.
As we continue to explore the merits of Trust Enhanced Risk Management (TERM) we should consider these four principles:
- Express risk in cash.
- Communicate risk in effective and agile governance forums.
- Treat risk creatively.
- Understand how, why and who you trust.
Depending on the maturity of your organisation, some of these items will be more aspirational then immediately actionable. That’s ok. The objective is to start challenging the status quo and driving positive change.