In this first blog entry, I will introduce what I plan to discuss on this new site and go into depth on IT risk profiles and IT risk maturity approaches for optimizing IT risk management success.
On this blog site I’ll offer my analysis and opinion on a range of IT security, performance, and availability topics. I will address risk management methodologies and current industry changes and transformations. This will include cloud security and compliance, virtualization security and compliance, Web 2.0 security, gaining executive buy-in, security liability and return-on-investment, managing to risk and harmonizing compliance, new approaches to communicating and measuring risk in the enterprise, and more.
I believe, now in the year 2010, we can no longer effectively sell the value of IT risk management using traditional technology-centric arguments or weak hand-waving around value to the business. Instead, we need to raise our game and appeal more to the fundamentals of how risk is perceived by human beings and businesses and then apply a strong methodology.
All living things, individually and in groups, continuously manage risk. They do so consciously and unconsciously and, in any given instant, they make decisions with full, partial, or zero knowledge of the risks they face. In the study and practice of IT risk management, we are controlled and guided by the risk profile and risk maturity of the individuals, corporations, and governments we work with. By understanding and honoring an organization’s risk maturity profile and guiding our recommendations and day-to-day actions accordingly, we can multiply our impact and success, predict organizational behaviors, and greatly reduce IT risk.
To kickoff the content of my new blog, I plan to add a number of entries this week. Thanks for visiting and I hope you find it useful. Let's begin with more detail on IT risk profiles and risk maturity.
In my years of helping companies manage their IT investments in security, performance, and availability, I’ve built various approaches to assist in gaining organizational buy-in, articulating return-on-investment and value to the organization, and in optimizing solutions. In my second book published approximately 6 years ago, Mission Critical Security Planner, I provide a compliance-independent framework based on a multi-dimensional model representing the essence of distributed computing risk and a business value articulation and planning methodology centered on two approaches. One focuses on the mechanical aspects of risk and the business--the technology stack, life cycle management, and straight business components. The other focuses on how the all of this is articulated or “sold” to the different stakeholders in the business- executives, middle management, and staff.
I will expand on these approaches here and show a framework for expressing the overall risk profile and maturity of the organization. Before looking at this framework, make sure you think about how the organization perceives its core services and information, not its individual assets such as routers or servers and the like. The enterprise doesn’t care about assets and assigning individual risk to them is meaningless to the organization. It’s the overall roll-up of risk to the services the organization cares about such as email, accounting, order/entry, customer relationship management (CRM), and the like that the organization will understand within the context of risk, not a router or a server.
I have developed two models for articulating an organization’s risk profile and maturity. I call one an IT Operational Risk Maturity Model and the other an IT Outcome Risk Maturity Model. Let’s first look at the operational model. For every organization, you will measure and document risk perspective and tolerance in relation to the following four core attributes:
Business Climate
Corporate Culture
IT Organization
End-Customer Reliance
Let's look at these one at a time. First, consider business climate. There is absolutely no question that the business climate an organization operates in influences the risks it will take. Many people confuse business climate with vertical industry. That is to say that, for example, the risk profile for all companies in the banking vertical is assumed to be very similar. While it is true that within a vertical certain regulatory and compliance characteristics are common, it has been my experience that the risk profile for organizations within a vertical will vary wildly. Therefore, I consider it a falsehood to use a company's vertical industry as a strong indicator of its likely risk profile. Corporate culture, which I'll discuss in a moment, in my experience has far more to do with the risk profile than vertical industry. Returning to business climate as a contributor to the risk profile, the following characteristics should be parametrized and understood:
(1) Is it a public company, private company, or government organization? Publicly held companies tend to respond differently to risk than privately held ones as it relates to shareholder risk, bad press exposure, the risk and impact of lawsuits to the organization, and the like. Governmental agencies perceive and manage risk through the eyes of the agencies they interact with and that hold them accountable as well as the expectations of citizens.
(2) Is the organization undergoing a merger/acquisition cycle? This will greatly impact how they manage risk through those cycles.
(3) What is the financial strength of the company? Its relative financial strength will greatly impact the risks it believes it must take to survive or grow. Just because a company is weak financially doesn't mean it will adopt a riskier approach than a fast growing company with a renegade corporate culture. So again we have to weigh these elements together; however, it fair to say that many financially weak organizations take more risks because they have to.
(4) And as mentioned earlier, we do need to understand and parametrize the compliance, regulatory, and legal environment that the organization operates in. However, as we have all seen, organizations vary wildly in the way they work to implement the true intent of a compliance framework versus checking a box. Therefore, just because a company states compliance to a given framework or a large range of them does not mean their risk maturity profile is automatically more advanced and evolved.
Now lets look at corporate culture. It has been my experience that this attribute of the organizational risk maturity model is one of the most significant. It may be unexciting to realize that organizations are like any other social unit and they tend to take-on the attributes of their founders and leaders. The characteristics of risk-taking and pragmatism are driven from company founders and executives. If the top executives of the organization choose to have zero visibility to IT risk other than to "make heads roll" when things don't go as planned and push for new IT capabilities without visibility into the top-level "dials" that turn to make the IT organization work and manage its risk, then you likely have an organization taking considerable risk while being unaware of it. Other attributes of the corporate culture include the way it responds to change and how aggressively it rides the technology adoption curve.
Next consider the IT organization itself. Is the mandate of the IT organization understood by everyone in the company or just IT? Is the mandate articulated strictly in terms of providing IT services or is it expressed in value to the business and its mission in facilitating revenue? How process-oriented is the IT organization? How standardized are its operations? How is it staffed-- thinly, heavily, appropriately? What skill levels are maintained in the IT organization? How does it budget and allocate its costs in relation to the value IT brings to the business and the risk that must be managed? All of this rolls-up to the risk profile of the organization and impacts how it will respond to and perceive risk.
Finally, consider the organization's perspective of the linkage between IT and the end-customer. Are there service level agreements (SLA's) that exist showing the relationship between IT and the core business of the organization? Is there a relationship drawn between IT operations and revenue? Between IT and liability? The more an organization understands the relationship between IT and its business, the more open it is to an IT risk maturation process.
To finish-off this blog entry, lets now look at the IT outcome risk maturity model. Based on how we have parametrized the organization through our organizational model, our outcome model will help us predict or observe how the organization ultimately responds to risk. The model I've developed measures the three A's-- Awareness, Association, and Action.
Awareness is a measure of how "aware" the organization is, or chooses to be, of its own risk posture. An organization may choose to have visibility and insight into its key IT risk areas or, instead, may for example create a culture where awareness is limited to only a select few people-- this for example typically results in so-called compliance check-boxing. Some organizations may have low awareness simply because they did know and, once the risk is illuminated, they may respond.
Association is an indicator of how much the organization associates a given risk and its potential impact to core business objectives. In organizations where, for example, IT has no mandate or visibility as it relates to the core value it brings to the business, often there will be little or no association between a given set of IT risks and the impact to the organization.
Action is a measure of what the organization does in response to its awareness and association. It is not uncommon for technical staff to become very frustrated when they believe an organization has both awareness and association of a risk, or one or the other, and still takes no action. The organization's behavior in this example may be no different than a cigarette smoker aware of all the risks of smoking but still smokes. Understanding the likelihood of action in light of other parameters is therefore fundamental.
Now that I've gotten that out of my system ;-) we will be ready to take-on some of the hot topics of security and risk today-- cloud computing, virtualization risk, Web 2.0, and more. In doing so, when we want to understand how an organization will embrace and secure a cloud computing environment for example, we want to think about it in terms of these risk models and frameworks I've discussed. We will discuss the risks, likely technology maturation curve, etc, but how an organization responds to the risk, or most importantly how we help them respond , is of most importance.
Eric Greenberg
Contact Information
About Me
- Eric Greenberg
- Eric Greenberg is founder and CEO of Cloud Approach, a company dedicated to thought leadership and innovation in the delivery of cloud computing and virtualization strategy, security, and implementation services and toolsets. Eric Greenberg has more than 25 years of groundbreaking Internet, security and IT experience as an executive, author, and consultant. Highlights of Eric’s career include his role at Netscape where he led their security group managing the deployment of a range of pioneering technologies including the one used for nearly all security on the Internet today, the Secure Sockets Layer (SSL/TLS) protocol. At a key time in the growth of the Internet, as director of Engineering for Global SprintLink, Eric led the design and deployment of one of the largest international Internet networks of its time. Eric is the author of two widely read books, Mission Critical Security Planner and Network Application Frameworks, and is a member of the editorial board for the journal of Computers & Security, International Federation for Information Processing. I can be reached at ericgreenbergsecurity@gmail.com