[BreachExchange] When Compliance Isn't Enough: A Case for Integrated Risk Management

Destry Winant destry at riskbasedsecurity.com
Thu Sep 26 10:52:32 EDT 2019


Why governance, risk, and compliance solutions lull companies into a
false sense of security, and how to form a more effective approach.

The governance, risk, and compliance (GRC) approach to risk management
is proving insufficient as companies grapple with myriad tools amid a
false sense of security. Instead they now are turning to integrated
risk management (IRM) and risk quantification to inform strategies.

"What we are seeing, and have seen over the last five years, is a
pivot away from more of a compliance-focused approach around IT and
security risk that you'd typically find in a GRC program, or even in
utilizing GRC technology," says John Wheeler, global research leader
for Gartner's Risk Management Technology division. His focus is on
IRM, which involves different ways to address risk and potentially
transfer risk vehicles; for example, cyber insurance.

GRC, now around for nearly two decades, stemmed from a growing need to
address the broad landscape of compliance mandates security pros face
year after year, Wheeler says. While helpful in meeting said mandates,
companies that invested more in GRC-specific tools found themselves in
a "potpourri" of products either purpose-built to address a specific
compliance requirement or limited in its ability to understand risks
unique and specific to the organization.

"For many organizations, they may have a false sense of security," he
adds. "If they think they are compliant with regulations, risks are
addressed … [this] couldn't be further from the truth."

It is imperative companies understand their individual risk profile,
Wheeler continues; out of that will come a greater ability to meet
compliance mandates that are relevant to the business. Rather than
focus on GRC, many are turning to IRM so they can comprehend how IT
risk, and cybersecurity requirements and posture, fits into and aligns
with broader operational risk.

"[IRM is] taking it beyond technology into the realm of people and
process risk, and ultimately all the way up to overall strategic risk
of an organization, such that they can understand their security and
IT risk aligned with where the organization is headed strategically,"
he explains.

IRM is a "forward-looking risk posture" in that it considers the most
strategic initiatives a business is taking on, and where it's headed,
as opposed to reporting on historical security incidents. While past
events are important and can inform an enterprise approach to
security, they make up only a small piece of the picture – and one
senior executives and board members can't fully appreciate as it has
little relevance to what they're hoping to achieve in the future.

Context is Key: Why IRM is Different

The core of IRM is the ability to perform risk assessment at an
asset-based level, which aligns with the IT or cybersecurity world,
says Wheeler, who spoke about the approach at this week's FAIR
Conference, held in Washington, D.C. Most IT and security pros assess
the risk of their hardware, software, and data assets to determine
which of these are most critical.

"That is important, but what they lack is context of how those assets
are also tied into the broader business," he says. They need to take
the risk assessment of a given process, and the people involved, and
tie those into asset-based risk assessment to realize how they

For example, you may have a server on the network deemed critical, but
in reality, it doesn't support any critical business processes, so it
doesn't need to be highly ranked. At the same time, you may have an
asset labeled non-critical, located outside the core network and tied
into a highly critical business process. For that reason, it will need
to be treated differently. These risk assessments can help IT better
understand how different systems relate to one another; in doing this,
they can better prioritize their work efforts and resource allocation,
he adds.

IRM is helpful in informing the development of new products and
services, says Wheeler, as it provides a vertical view of risk through
the company. This is "essential" in helping businesses address digital
risk management as it relates to the creation and delivery of new
digital products and services, an issue of great importance to CEOs
who want to use these to grow.

"To do that effectively, they need to have that vertical view of risk
down through the organization to give them better understanding and
visibility into the risk they face with digital products and
services," Wheeler says. "Not only for developing a business case, but
then as it progresses from business case to design and delivery,
understanding how risk profile changes."

Navigating Shifts and Challenges

Wheeler acknowledges adopting IRM comes with its obstacles: while
security pros can use tools and methodologies to better quantify risk,
he says, it will never be precise in its calculation.

"It's unlike, say, financial risk, when you get into credit risk or
market risk, where you can be very precise in the amount of risk that
needs to be mitigated or transferred," he explains. The goal of this
exercise should be "directionally correct," as he puts it, instead of
entirely exact. With that expectation, organizations can focus on
creating and maintaining a dialogue around IT and cybersecurity risk,
and make decisions based on the directionally correct data they have.

He also points to a shift occurring within many organizations, which
are seeing more and more risk borne by people within the business as
opposed to technology experts and leaders. As this is happening, tech
is moving into a frontline activity as it supports products and
services. This accountability will drive a desire within the business
to be engaged and understand the risk.

With that engagement, an understanding must be made. IT and security
pros can provide risk data, but everyone must keep in mind the focus
of the risk itself as opposed to the process of calculating the risk
amount. In his personal experience, Wheeler says much of the
conversation between business and technology devolves into a
discussion of how a risk amount was calculated – which avoids the goal
of addressing risk in a way that drives the business forward.

More information about the BreachExchange mailing list