By Augustine Doe, VP, Enterprise Risk Management , Network Health
With technology at the heart of every business line’s and support function’s ability to operate, IT can and should play a critical role in managing and monitoring any organization’s enterprise-wide risks. Too often, different parts of an organization think about IT as separate and distinct from their own activities. By viewing IT in this siloed way, the organization is robbed of both essential insights and a powerful partner in dealing with enterprise-wide risks. In this article, we explore the four most important roles that IT should play in supporting an organization’s ERM efforts:
- Assist in distilling IT anomalies to critical IT risks;
- Serve as the frontline for the appropriate measurement of the impacts of IT risks;
- Provide insights critical for implementing an effective cybersecurity risk- management program;
- Partner with the organization’s Chief Risk Officer (CRO) to implement a robust cyber- incident response plan.
Assist in distilling IT anomalies to critical IT risks
As the organization conducts its enterprise-wide risk assessment, the assistance IT can provide in properly distilling IT anomalies to critical IT risks is crucial for implementing the right-size risk prevention, control, or finance plan. Because risks lie in the eye of the beholder, not all the anomalies experienced by IT should be assumed to represent the organization’s IT risks. A gap analysis ensures anomalies are properly vetted before being considered risks. The distillation process should also make sure key aspects of IT risks such as risk drivers and triggers or initial manifestations of risks are not confused with or construed as the organization’s actual IT risks, as they should be dealt with differently than actual risks.
For instance, hacking attempts, phishing schemes, slow network response time, users’ inability to gain access to their accounts because hackers have changed account settings are not IT risks. Rather, they point to an organization’s inability to conduct a particular function that may impact the organization’s ability to deliver on a specific strategic project or goal. The risk is the potential for financial and/or operational loss resulting from that inability.
The head of IT, generally the Chief Information Officer (CIO), should work closely with the organization’s CRO to ensure that IT risks are correctly identified and consolidated. In the absence of such distillation, the organization’s IT risk control or prevention efforts may target activities that are not actual risks. Also, such confusion may lead to the implementation of ineffective or inappropriate risk control or prevention measures. Once the distillation process is complete, each risk’s probability and impacts (financial and operational) should be measured. This would allow the organization to implement the appropriate risk prevention, control and/or finance plans to manage and monitor each risk.
Serve as the frontline for the appropriate measurement of the impacts of IT risks
As the in-house technology expert, the CIO should be responsible for any measurement and communication of the impacts of IT risks. The CIO should work with the CRO to determine the appropriate metrics for tracking and managing key aspects of each IT risk. (These should include metrics to track changing aspects of risk drivers, financial impact, operational impact, and probability of risk, as illustrated in the figure below.)
This level of detail serves as a powerful wake-up call about the vulnerabilities the organization is facing and gives urgency to taking appropriate steps.
Provide insights critical for implementing an effective cybersecurity risk-management program
As the member of the C-suite with both the deepest and broadest knowledge about technology and its impact and reach across the organization, the CIO is uniquely qualified to provide insights on how IT infrastructure, architecture, and programs should be operationalized to create an effective cybersecurity risk-management program. For instance, the CIO is in the best position to design and conduct the appropriate cybersecurity vulnerability assessment and/or to implement the right policies, procedures, processes, and systems. These measures should include employee and third-party cybersecurity education and training to improve the organization’s ability to manage and monitor cybersecurity risks from all its exposure points.
Implementation and education, especially as related to third parties, are too often overlooked. With organizations of all kinds increasingly relying on cloud-based technologies for cost-effective and efficient technology solutions, the need for vigilance is greater than ever. False comfort can be derived from what is seen as well-designed architecture or a well-thought-out program that exists as more of an idea and an ideal than a practice or series of practical measures.
When done properly, the CIO’s role allows the organization to operationalize state-of-the-art vulnerability-management, information-protection, and incident-response tools that analyze, monitor, prevent, and/or manage cyber-attacks. However, these tools need to be fully integrated into the organization’s ERM program for the organization to experience their true benefits, and this is where the CIO must pass the baton to the CRO.
Partner with the organization’s CRO to implement a robust cyber incident response plan
The need for a robust cyber incident response plan cannot be overemphasized. In EY’s annual Global Information Security Survey, just 43% of the 1,755 executives who responded said their organizations had formal incident response programs. And only 7% of that group’s plans included third-party vendors, law enforcement, and playbooks. While the lack of a cyber incident response plan certainly cripples the organization’s ability to get in front of a cyber incident and manage it effectively, the presence of such a plan does not guarantee a cyber incident will be effectively managed.
The first line of action is to ensure the cyber response plan has the key elements articulated in the Computer Security Incident Handling Guide from the National Institute of Standards and Technology (NIST) and/or conforms to the principles of incident management summarized in ISO/IEC 27035 Information Technology – Security Techniques. The CIO would take the lead in designing the plan and ensuring it meets NIST and ISO standards. This means the plan should account for how the organization would “Prepare-Respond-Adapt” to various cybersecurity incidents (e.g., social engineering attacks, hacking, malware attacks, system misuse by internal personnel, advanced persistent threats, etc.).
Second, the CIO would ensure recovery-time objectives agreed to with the technology vendors that comprise the organization’s cybersecurity technology chain are in sync with those enunciated in the organization’s cybersecurity insurance program. It is not uncommon for cybersecurity response plans to have a disconnect between these two elements. While one organization’s data center’s recovery time objectives indicated the organization’s data center would experience a maximum downtime of four hours following a specific cyber-attack, the organization’s cybersecurity insurance policy indicated that the insurance carrier would begin responding to the same cyber activity after 24 hours after detection. Thus, the organization was not able to take advantage of the data center’s shorter downtime. The CIO should work with the CRO to make sure the recovery time objectives of the technology vendors that form the organization’s cyber technology chain are aligned with those enunciated in the organization’s cybersecurity insurance program. Otherwise, continuity of operations would be unnecessarily delayed and would cause the organization to lose revenue while waiting for the insurer to execute its response to the cyber event.
Lastly, the response plan should be tested both before implementation and routinely thereafter to ensure that each member of the response team can quickly perform his or her designated functions with little supervision. The CIO would work with the CRO to conduct tabletop sessions of the response plan in addition to live cyber response practice, and incorporate lessons learned to improve the operability of the response plan.
No organization can afford to view risk and technology as distinct from each other. Leveraging IT’s insights to support the organization’s ERM efforts is a best practice that should be part of every organization’s arsenal in managing and monitoring risk.