ERM: Old concept, new ideas
- 29 July, 2013 19:21
Enterprise risk management (ERM) is hardly new. Eric Cowperthwaite, CISO at the nonprofit healthcare organization Providence Health and Services, recalls hearing the term for the first time in the late 1990s, "and it existed before then, even if we didn't call it that," he said.
Indeed, the term goes back several decades, according to Jeff Spivey, who is vice president at RiskIQ, president at Security Risk Management, and international vice president of ISACA.
"My father was involved in risk management beginning in 1968," he said. "What was then called 'risk management' is now called 'enterprise risk management.'"
John Shortreed, a member of the International Organization for Standards, which developed ISO 31000, one of the most prominent frameworks for ERM, says the framework has been "evolving and maturing over the last decade, in response to the increasing risks [in] our world" brought on by such varied factors as interconnectivity, climate change and economic upheaval.
But after all that evolution, it is still not close to being standard operating procedure in most enterprises. According to a 2012 customer survey by the Corporate Executive Board, 70 percent of respondents did not have a formal risk-appetite approach in place. Risk appetite is one of the fundamentals of ERM. Cowperthwaite is not surprised at those results.
"My perspective is that most security practices are foundationally compliance driven, even if they have a risk component," he said.
"The thinking of most CSOs is, 'There is some number of things I'm required to do. When I do them, I have a security program.'"
That doesn't mean nobody is doing ERM, he added.
"I could name a dozen CSOs who are really involved in their businesses and doing great ERM,"he said. "But I could also name more than a dozen who are basically just keeping in compliance keeping the firewalls in place. I think if we were to survey the industry as a whole, we'd find the 20-80 paradigm, where only about 20 percent really understand what their business is about so they can make the case for managing risk."
Not everybody thinks the divide is that great between those practicing ERM and those focused on compliance -often derisively called "checking-the-box security." Chris Wysopal, co-founder, CTO and CISO of Veracode, says he is seeing more of his security peers "performing threat modeling based on the way their business works and what is going on in the threat space."
In at least one sector of the economy - finance -there is strong evidence of risk management taking hold. The Wall Street Journal reported in October 2010 on a Deloitte survey of 111 financial institutions that found 75 percent of them had a chief risk officer or an equivalent position, which is one of the core components of most ERM frameworks.
John McClurg, vice president and CSO of Dell, says in recent years he has seen a lot of evidence of ERM in Fortune 100-level companies, "but not so much in smaller companies, and that is the majority of businesses in the country."
William Mabon, director of the cybersecurity product portfolio for BAE Systems, is among those who are not involved in ERM. He says that while he and his firm's clients, which are mostly in government, are very focused on protecting data, "as opposed to going through exercises that are designed to pass through audits," he does not hear much talk about ERM with those clients.
"It is not a buzzword that we're living and breathing every day," he said.
Cowperthwaite believes the stumbling block is not a lack of understanding, but rather an all-too-clear understanding of how hard ERM is to do.
"If you do qualitative risk management, it leaves an amazing amount of room for people to argue," he said "When I say something is a high-risk, the CEO might look at me and say, "[An impending merger] is high risk -what you're talking about is moderate.'"
But then, some experts say ERM is not the way to go anyway. Douglas Hubbard, CEO of Hubbard Decision Research, even wrote a book about it -The Failure of Risk Management -in which he poses three questions: Do these risk-management methods work? Would any organization that uses these techniques know if they didn't work? What would happen if they didn't work?
Hubbard argues that the answer to the first two questions is "no," and that the answer to the third is that there could be catastrophic consequences for a company or its customers.
Richard Stiennon, chief research analyst at IT-Harvest, contends that ERM simply doesn't work. In a recent Facebook post, he proposed the following title for a course on ERM that he was about to teach at the National Defense University: "No one ever got fired for implementing a risk-management program - but they should be."
Stiennon says that "as an industry analyst and adviser to some of the largest organizations in the world, I have seen them start to move away from risk management to threat management."
Francis Cianfrocca, CEO of Bayshore Networks, agrees.
"With risk-management best practices, you're not really protecting yourself. Enterprises need protection rather than risk management."
Of course, advocates of ERM contend that it is all about protection - evaluating what kind of protection is needed based on the kind of risk and the amount of damage it could do to an organization.
So maybe before we can discuss the progress and even worthiness of ERM, we need to refresh everyone on what the definition of ERM is and what some of its core goals are. Most CSOs would agree with Spivey that it starts with a holistic view of all risk that an organization may be exposed to, including operational, brand, financial, physical and, of course, information security.
They also agree with what shows up in multiple frameworks and advice columns on the topic: The overall goal is to manage that risk in a way that provides value to the company. Or, as Cowperthwaite puts it, security professionals should "learn what your business does. Go talk to a business-unit person. He's going to think that's pretty cool because no security guy has ever done that before. Then you can connect what you do to what the business does in meaningful ways."
Within that overall mission are a number of specific goals common to most of the frameworks designed to help enterprises implement ERM.
They include: -Get rid of silos in dealing with risks: Traditionally, businesses have had separate monitoring groups for risks involving credit, physical security, loss prevention, fraud prevention, information security, business continuity, safety, compliance and audit. If all divisions and departments in an enterprise are not connected and communicating, holistic risk-management is impossible.
-Define and balance risk appetite: It is difficult to set business security controls without a clear understanding of how much and what kind of risk the company is willing to accept.
"People have different risk appetites based on role and responsibility," says Jonny Gray, head of global client risk services for the Americas at Control Risks. "Legal has a different appetite than the business developers do."
-Enable the business: This includes the frequent exhortation to risk managers to "create and protect value." Again, this is only possible with an understanding of how a business makes money and what risks would undermine it.
-Help decision-makers make informed choices and risk-response decisions: Most frameworks recommend five options for dealing with risk, which can be remembered with the acronym REITA: Reduce it (with controls, for example); Ignore it; Eliminate it; Transfer it (by buying insurance, for example); or Accept it (which is not the same as ignoring it). The goal here is to make informed choices by looking at risks across the enterprise, rather than by department or function.
-Implement effective controls in response to risk: Obviously these are a natural result of the choices made during the REITA assessment. Achieve objectives at lower cost: One of the most common recommendations here is that consolidating risk management will mean it requires fewer people. ERM proponents also argue that setting priorities can help an enterprise cut its risk-management costs.
-Ensure appropriate and timely involvement of stakeholders: This includes company leadership, staff, customers, stockholders and business partners. Be responsive to internal and external change: Any ERM program, to be effective, must be nimble enough to respond quickly to emerging threats or new vulnerabilities.
Where, then, are CSOs and CISOs succeeding or failing in reaching ERM goals? McClurg says he believes ERM has led to "more thoughtful, deliberative decisions" about handling risk, and that security pros, especially at the larger, Fortune 100-size companies, are moving away from "guns, gates and guards. It's not security as much as business assurance."
But, he says, that progress has been matched or even exceeded by attackers.
"The threat vectors are more sophisticated -bad guys have gotten better," he said.
Erik Devine, CSO of Riverside Medical Center, says one of the biggest ERM successes in his organization has been "finding avenues in technology to secure information at a lower cost."
The biggest challenge, he says, has been trying to integrate information security into the goals of the corporation, "including patient care, financial, compliance and patient information. I'm finding many challenges on changing a philosophy that has been in place for quite some time."
Devine says he also struggles with controlling the risks of a bring-your-own-device (BYOD) culture and how it can lead to unauthorized data leakage, especially in an era when federal laws, including HIPAA and the Health Information Technology for Economic and Clinical Health Act have made medical institutions more directly responsible for any breaches of protected health information.
Wysopal says he thinks security teams are doing better at identifying attackers and their techniques, which lets them set priorities on what kind of defenses they need. But "patching the desktop to mitigate spearphishing remains a challenge," he said.
"Many CSOs are struggling with Web application security also. They are able to cover high-risk apps because the business can see the risk, but often lower-risk marketing-type Web applications go unsecured and can lead to breaches."
Stiennon says that the results of ERM development and maturity at many enterprises is proof of its failure.
"Risk-management methodologies have been deployed at most large enterprises and have reached a high level of maturity. Yet breaches and successful targeted attacks are becoming more frequent and of higher impact. Clearly, risk management is not working."
Stiennon further argues that terms like "risk appetite," which have some meaning in financial markets, really don't mean anything in IT security.
"There is no 20 percent willingness to lose 10 percent of our assets," he said. "The real mandate is to avoid costly data losses. In practice this means risk management methodologies that loosely translate into 'protect everything,' which is demonstrably impossible. But risk managers, even if they agree that their end goal is impossible, argue that doing 50 percent of this will reduce attack surface area, so it is worth doing."
Regarding cutting costs, Stiennon insists it never happens.
"Risk management is extremely costly. It usually involves an expensive team of professionals. None of their activities are directed at stopping targeted attacks that bypass their controls."
And when it comes to enabling the business, Stiennon argues that success in that area can dangerously enable it. The credit card companies, in concert with the U.S. banks, used risk management to determine that the risks associated with banking credential theft was low and allowed an entire economy of cybercriminals to crop up," he said.
What, then, is the best way for today's CSOs and CISOs to move forward?
There is plenty of advice on that front. Several ERM frameworks offer detailed instructions on the process of implementing successful risk management. But experts like Cowperthwaite advise being wary of the frameworks, arguing that they are mainly about compliance with regulations.
Compliance goals are worthwhile, he says, as part of due diligence and accepted practice, "but that's not real risk management."
"A risk-based program should fundamentally ask itself, 'What things pose a threat that I'm vulnerable to, and how will I solve it so I reduce my vulnerability or the threat?"
As an example, he notes that a given person could be killed by someone with a gun. Compliance might dictate that he wear a bulletproof vest. By contrast, a risk-management approach would ask if there is somebody who is a threat to that person, who owns gun and doesn't like him.
"There are lots of ways to deal with that," he said. "You could take the gun away, wear a vest, or not go out in public. But were only going to solve the problem if we think of both the vulnerability and the threat."
Stiennon argues that the job of the CSO is not so much to evaluate risk as it is to practice threat management, which he says means, Look at that attack surface from the perspective of the attacker. First, his targeting and valuation of assets may well be completely different than the valuations of the defender.
"Second, the attacker is not perturbed by perfectly patched systems. He either uses a zero-day vulnerability that cannot be known or protected against, or he targets the individuals that have access to the target data and uses their authenticated, authorized access to steal what he is after."
The way to do that, he said, is to use published reports and information-sharing teams to "get a step ahead of the attackers by researching their methods and targets. Assign responsibility to a team to thwart targeted attacks. Do this outside the risk-management team."
Cianfrocca said he sees reason for optimism.
"Some industries - large manufacturing, military and critical infrastructure -are becoming aware that their existing practices are not good enough," he said.
"It's fascinating to me that the urgency is very high. It's like seeing elephants dancing."
Read more about security leadership in CSOonline's Security Leadership section.