CSI 2008: The Business Case For Governance, Risk, And Compliance - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
11/17/2008
07:55 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

CSI 2008: The Business Case For Governance, Risk, And Compliance

There are three legs of a table that, if weakened, put your organization at risk and, if a leg is removed, let the table fall to the ground. IT governance, risk, and compliance (GRC) is fundamentally a return to the basics of information security. Regardless of technology, you need to know what to protect, when it needs protecting, and why it needs protecting. Getting ahead of the game is more effective than catching up later.

There are three legs of a table that, if weakened, put your organization at risk and, if a leg is removed, let the table fall to the ground. IT governance, risk, and compliance (GRC) is fundamentally a return to the basics of information security. Regardless of technology, you need to know what to protect, when it needs protecting, and why it needs protecting. Getting ahead of the game is more effective than catching up later.Ron Woerner, security compliance manager for TD Ameritrade, brings GRC down to the three R's: reputation, regulation, and revenue. If you're not focused on these three areas, you're not doing GRC, or risk management, for that matter. Regulation -- you get that. You have been soundly beaten over the head with regulatory compliance the last few years. If your company is in a regulated industry, then you have to comply with something. A daunting task, to be sure, but compliance alone isn't enough. A good reputation with your customers and with your partners is a difficult trust to earn and an easy one to lose. You don't lose reputation simply be having a breach. Rather, you lose reputation by your actions leading up to and after the event. And then there is revenue.

Information security always has been seen as a cost center -- something you have to pay out for some perceived benefit. The business problem with security is that when it works, you don't see it, and monetizing the financial benefit is difficult. There is no guarantee you will be attacked and if your company has been attacked, there is no way to determine you will be attacked the same way again. The vulnerabilities are moving targets.

There are a number of ways to try to quantify risk, such as Annual Loss Expectancy (ALE), which equals the cost of a loss multiplied by the number of times the loss is expected to occur in a year. Return on Security Investment (ROSI), which factors in the avoided loss based on the purchase and deployment of some technology. A more fundamental equation called the Hand Rule, after Judge Learned Hand found that a barge captain could have averted an accident if he had been properly equipped and on board, quantifies risk as the cost of impact multiplied by the probability of an event. The product is divided by the cost to mitigate the threat of the event. By assigning values to the variables, you should be able to calculate risk, which is the likelihood that your company will suffer a financial loss.

But all those equations are about avoidance and minimizing risk and costs and is ultimately a reactive strategy. Woerner had a better analogy for the business case for information security using cars. Brakes were invented and installed on cars not to stop them, since cars at that time didn't go very fast. Brakes were installed so that cars could go faster safely. Another example is rearview mirrors. Rearview mirrors were invented so that racing teams could get rid of the rear-facing mechanic and the driver could still see behind him. The value of brakes and rearview mirrors was to let cars go faster, safely. The motivation wasn't to avoid collisions. The result was fewer collisions.

We can apply the same principle to information security. Any new IT project brings additional risk with it. Data is stored in more places. There are more ways for the data to be lost or misused. There are more points of entry. The risks are greater than not employing the IT project. If your company went back to a paper-based system, you would never have to worry about electronic attack, right? The qualitative argument is that your company will deploy new IT projects and will be partnering with external organizations. You can actively identify and manage the risks proactively so your company can move forward safely.

Michael Hannigan, manager of systems engineering and support for Electric Insurance, who I interviewed for the 2008 InformationWeek Strategic Security Survey [[registration required]], stated that his company identifies, evaluates, and manages risk on every new project because his company has to adopt new business and new processes, just like any other business does, and they can either proactively manage risk from the start, or they can reactively manage risk after the fact. Proactively managing risk is ultimately more effective and more cost effective than reacting after the fact and once you go from a reactive model to a proactive model, you move from information security to governing your IT systems.

That's your business case.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Will AI and Machine Learning Break Cloud Architectures?
Lisa Morgan, Freelance Writer,  6/10/2019
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
Humans' Fascination with Artificial General Intelligence
Guest Commentary, Guest Commentary,  6/6/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll