Over the last decade I have watched security leaders and management work their way through IT-based security technology and a wave of new compliance and legal requirements only to discover these are not related to the organization’s information security strategy. There has been a tremendous amount of focus on internal controls and the leveraging of standards such as ISO and ITIL.
I want to introduce a new line of thinking in regards to categorization of risk and how this relates to security strategy. At a high level this new line of thinking views risk as “Preventable” and “Non-preventable”. We need to link preventable risks to internal controls such as the ISO 27002 in order to better understand the nuances. From a risk maturity perspective, if an organization does not have a documented and repeatable rules-based approach for preventable risks, we know they are in the early stages of maturity and likely incapable of adopting more mature models and practices. Management must also link the idea of preventable risks are controllable and this is the first stage of an organization’s security maturity. They must first be successful at the easy stuff before heading into the difficult waters of external risks. External risks cannot be controlled–only identified and prepared for.
Where many organization’s get lost is linking internal controls to external threats. Robert Kaplan, Harvard Professor and long-time risk management expert has recently offered a new way of thinking about high-level risk categories which immediately resonated with me based on over 20 years of experience. While Kaplan’s recent writings are directed at an organization’s overall risk management strategy the premise of his insight can easily be adapted and leveraged for information security risk management.
Preventable Risks – internal risks from within the organization are viewed as controllable, however companies cannot anticipate every circumstance or potential conflict of interest an employee may encounter. Some examples would include inappropriate actions of employee’s and risks stemming from operational breakdowns. Preventable risks are not linked to diminishing company value. Preventable risks are best managed through active prevention methods (e.g., monitoring, segregation of duties, whistleblowing program, internal audit function, etc.). The company mission statement should provide clear guidance on what is important to the organization. Policies should be clear and provide an explicit definition of boundaries.
Strategy Risks – Strategy risks are not inherently undesirable like preventable risks. Strategic risks assume an acceptance of some degree of risk in order to achieve a return on the strategy. Strategy-based risks cannot be managed through a rules-based control model. The goal is to reduce the probability that the assumed risks materialize or to contain them at a minimum. The corporate strategic planning office should be involved in strategy risks.
External Risks – events that drive risks from events outside the company and beyond its ability to control such as natural disasters, third-party vendors, targeting by malicious activists or hackers with sufficient ability to cause harm. Because organization’s are not able to prevent these types of risks, management must focus on identification of relevant risks and their associated impacts. Tools such as war-gaming and scenario analysis can be effective. The organization’s information security strategy should account for all three of the above mentioned risk categories.
A compliance or rules-based strategy can be effective for preventable risks it is wholly inadequate for strategy and external risks.
Risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure employees follow them. Rules-based risk management will not diminish the likelihood or the impact of a disaster.
Leaders need to categorize risks. Identify risks that can be managed through a rules-based model and others that need alternative approaches.
Rules-based risk management can be used to align values and control employee behavior, but it is unsuitable for managing risks inherent in a company’s strategic choices or the risks posed by external sources. External risks require discussion and debate across the organization.
Management should prepare for non-preventable risks sourcing from outside their organization
I always welcome your comments and feedback.