Risk Management Reality: 12 Truths About Where We Are Today

It’s well known that companies face more complex and greater risks in their business models today. But less clearly understood is just how far off the mark much conventional wisdom about Enterprise Risk Management and Information Security really is. The following 12 truths about the current security and risk environment reflect lessons learned (sometimes learned the hard way) by many organizations in a range of industries.

1. Security is not a fence, a cage or a lock. Security and risk management have typically been defensive actions, highly reactive by design. This amounts to “closing the barn door” after the fact. Security must be offensive, predictive and forward looking.  Much like generals always fighting the last war, too many security efforts are focused on solving the last crisis, which leads us to Truth #2 …
2. Your future is your past. “I thought we solved this two years ago” may be the most frequently spoken words in security and risk management – right up there with “I knew this was going to happen.” Too many companies continually stumble over the same risks, because they take the path of least resistance to find easy patches or fixes to security issues or vulnerabilities. They do not address underlying issues and risks. (See also Truth #11.) When you have an incident or security breach, it’s worth investing time and resources to truly understand what happened and thereby avoid the “band-aid” syndrome. Many organizations are tempted to move on and stop talking about their past issues and mistakes, but there are valuable learnings and insights to be mined if you wish to get beyond this “past = future” syndrome.
3. Information is in the eye of the beholder. The value of data is usually in the eye of who is looking at it. But there is risk in it, too, because too often data is replicated, changed or transformed within business processes. With the ability to download data to desktops and flash drives and the creation of end-user computing applications, data can be further altered. This is not only a security threat, but also a strategic risk. Specifically, when many people can change and move data around, it becomes more difficult to achieve a single version of the truth. Further, you have to worry if decision support data is complete, accurate and reliable. And are the right people asking the right questions of the data? Too often the business fails to engage risk managers to help ensure data is being managed properly. Because risk managers tend to look at the world through a different perspective, they can help ensure it’s being managed securely and effectively.
4. You’re paying your biggest threats. You may have thousands or tens of thousands of huge risks reporting to work every day. Long-time employees, recently hired employees, contractors, external consultants, vendors, outsourcing partners – all of these are potentially malicious insiders who can profit by sharing information and intellectual property with crooks, your competitors or both. At a minimum, they are targets for malicious outsiders seeking to exploit them.  They have access to some of your organization’s most valuable assets and at the vast majority of companies, they’re barely monitoring partners or vendors and don’t have formal policies for de-accessing contractors from networks and data repositories when projects are done. Checklists sent to vendors and background checks are feel good activities, but rarely have enough substance to protect you long-term.
5. SOX stinx. Okay, bad joke, but risk management pros recognize that SOX testing does not do much to safeguard the business. Companies who believe complying with SOX and other “control” regulations gives them the protection they need may be at even greater risk than in pre-SOX days. For instance, when you restructure an organization or simply deploy new systems (after a transformation initiative, for instance), SOX controls are often not adjusted appropriately and thus won’t offer much “control” over the new environment. Similarly, internal audits typically happen a period of time after deployment. Neither of these measures is nearly proactive enough.
6. Most security investments are wasted. At its Security & Risk Management Summit 2010, Gartner analysts estimated that investments in security software in 2010 will reach of $16.5 billion. We shudder to think how much of that is wasted, or is generating sub-par return on investment (ROI). Disclosure of data loss is on the rise despite these investments.
7. Every good manager is a good risk manager. Risk management must become part of a company’s DNA – with consistent reporting and incentives built into management models. That’s how companies can evolve to lower-risk, more secure operating environments. The truth is all good managers are good risk managers. And not just in the sense that nothing ever goes wrong on their watch; it’s more that they look ahead and keep their eyes on the horizon and anticipate short-, mid- and long-term risks to the business.
8. Donald Rumsfeld is an excellent risk management strategist. Not to play politics here, but the former Secretary of Defense gave business leaders much to think about when he talked about “known unknowns” and “unkown unknowns.” Most businesses have huge numbers of both. An effective risk management strategy starts with an honest assessment of each of these categories, not to mention the ability to creatively visualize how the world will change (and thus new risks that will emerge).
9. Your CEO is your chief risk officer. Speaking of honesty, security is very much a cultural and management/leadership matter. This has always been true and remains especially so today. As Peter Drucker put it, workers will forgive leadership of a great deal, “incompetence, ignorance, insecurity, or bad manners. But they will not forgive a lack of integrity.” Integrity is a security issue as it relates to the financial health of an organization, but also in terms of the tone it sets. It’s safe to say that organizations with honest brokers at the top are likely to identify and remove internal threats earlier.
10. Security is simple. Or, to put it another way – relatively simple steps can pay big dividends. This is especially true regarding management’s role in driving a strong risk management culture, effective security really begins with executives getting out of their offices. You want to get a handle on operational risk? Go visit a warehouse or distribution center during second shift.  (See also Truth #12.) Or spend a day with your IT security team or at a call center.
11. Band-aids don’t prevent long-term infection. This is why your current and future risks are the same as your past risks. Most security fixes are band-aids. Sure, you bought the massive network monitoring software package. Sure, you changed auditors. But if no one is actively tracking the monitoring and firewall logs or engaging with the auditors and encouraging them to think beyond the stipulations of the contracts, these may be band-aids – and loosely applied ones at that. Risk management and security are full-time jobs – active, ongoing pursuits that must be a standard part of a company’s operating model.
12. Strange things happen at night. When was the last time you went to the office after midnight? You might be surprised on what you would learn. If you think you know everything about your business, just pay a late-night visit to one of your company’s warehouses, distribution centers, data centers, call centers or transaction processing hubs. Like on the reality show Undercover Boss, you might be surprised by what you see. You’re likely to see some of the true heroes in your organization in action. These are the folks that keep your business running, make sure mechanical failures of servers and backup drives are taken care of. They watch the firewalls and keep the bad guys out when the holes in your controls and processes are exposed at night. Every morning you wake up to your business functioning normally you should remember what the heroics of the night before entailed. Grab a pizza next Friday night and visit the night shift, they’ll appreciate it and you’ll learn a lot in the process.

Bottom Line: Time to Rethink Risk

Collectively, these 12 truths demonstrate how effective risk management programs adopt a 360-degree orientation and forward-looking perspective; it’s not just building the highest wall or having the most restrictive access to corporate assets. It’s a matter of connecting the dots of different types of threats and opportunities, which exist across the organization. It’s about “engineering” risk so that it drives the business to greater operational visibility, increased threat awareness and consistent policies. Fundamentally, that’s how risk management and security moves from being a defensive postures to a proactive and enabling force that is aligned to core strategies and objectives.