Organizations worldwide are taking stock of their IT risk management plans. At one time, audits were the driving force behind companies examining their IT risk factors to ensure they were in compliance with industry mandates. Now, however, we are seeing a shift away from this kind of thinking. Risk management is no longer left solely to IT. IT risk management has made its way to the boardroom. C-level executives are taking notice of how IT risk can affect their organization from a business standpoint. As CISOs and their IT departments have known for a long time, technology alone will not keep an organization secure and protected.
In order to manage risk properly, organizations must understand the interrelationships between business systems. A business system is more than just technology; it’s the collection of people, processes and technology that serve a defined business function. This is why IT and business must work together: IT must know the systems and processes inherent to the business, while the business must understand risk from an IT perspective.
Let’s look at an accounts payable system as an example. Accounts payable is part of the financial reporting system; it is a collection of assets all rolling up into a business goal: providing financial statements. When you examine an AP system, there is of course a business side and an IT side. On the business side, the viewpoint is an approval process. The business user powers up his computer, gets a form, processes the form which goes into a report for approvals, and then a check is magically cut. On the IT side, it’s different. The IT view is of an application on a database that resides on a server in a data center.
No matter your frame of reference, business or IT, the AP system has risks. However, as an IT administrator you can’t have a conversation about risk with your business counterpart and begin it with “this server is at risk.” Instead, you must talk with them from the perspective of their process-based world. By asking the process owner to define the business risk and their understanding of compensating controls around that risk, you can inventory those risks and map controls to address them. IT can then translate those risks into technical controls to help mitigate the risk.
This example shows how people, processes and technology can effectively work together to manage risk. Reports can be made and checks can be cut because the business system runs smoothly. The most important thing is for each side to understand the risks and communicate in terms that everyone can comprehend.
I’m often asked, “Where’s the best place to start?” The best place to start with risk modeling is defining the business function and understanding what the risk is to that particular business function. Begin with what keeps the business running and what could hurt it if compromised. Look first to your business continuity plan and the 24-hour recovery list for disaster recovery – those are the things that will put you out of business.
So how will implementing these changes help an organization? By involving your business counterparts in the process of making IT risk decisions, the policies, procedures and technical controls put in place will reduce risk and improve efficiency. Beyond that, we have found that once business leaders at the executive level understand risk, and how they can contribute to mitigating the risk, CISOs find great things begin to happen, and budgets for security and risk management begin to increase. Everyone plays a role, and it starts by supporting CISOs and their IT team from an organic level. You can’t protect what you don’t know you have, so communication at all levels is the key to successful relationships between business systems.Tags: compliance, IT controls, IT GRC, IT risk management, risk modeling