Corporate Governance

Gartner Security and Risk Management Conference, June 2016

The Gartner Security and Risk Management Summit was recently held outside Washington, D.C. The event was attended by over 3,000 Information Security and Risk Management professionals from around the globe. BWise was a lead sponsor of the event. Our booth and presentation given by Luc Brandts (BWise Chief Strategy Officer) and Annu Warikoo (Nasdaq’s Global Head of Risk Management) were well attended. The summit provided a perfect forum to showcase our internationally awarded solutions, highlight our capabilities to manage information security risk, and discuss how we are helping our clients protect, comply, and simplify their risk management practices.

Making Information Security Resilient

The 4 day event opened with a keynote session by Felix Gaehtgens, Peter Firstbrook, and Jeffrey Wheatman from Gartner, highlighting a bold vision for today’s digital business environment, in contrast to the previous years’ primary focus on protection and prevention.

The keynote theme focused on making information security resilient. It stressed the importance of viewing security threats in a business context and clearly tying the threats to the harmful exposures that InfoSec professionals aim to protect the company against. Instead of saying ‘no’ to new digital business initiatives, and/or explaining the security limitations, the speakers recommended presenting the business choices to management, while balancing between acceptable risk (risk appetite) and business performance goals.

Risks are strategic; security threats are tactical

Organizations will always search for new ways to grow – acquiring customers, entering into new markets, and delivering new products/services. Technology is frequently at the heart of these goals, whether it’s protecting company assets, creating efficiencies, or supporting processes. Moreover, the use of technology is becoming more pervasive. Technological advances (e.g., the Internet-of-Things) and mobility (banking, email and social media) are producing not only new ways of doing things, but new risks as well.

The effects on risk management aren’t new though. There is still a focus in understanding the potential events that may influence the outcomes of an organization’s strategic objectives. Consequences like brand damage, recovery costs, litigation, and regulatory (e.g., fines, ceasing expansion opportunities, or increasing capital to address heightening management expectations) still remain.

The question becomes whether there is a need to adjust the risk management philosophy or practices to address information security risks. In short, the answer is no. The principles for risk management are still applicable – identify, assess, evaluate, manage, and report. Granted, the frequency in which some information security risks occur, for example cyber, is greater than other operational risks like fraud or natural disasters. This simply requires a careful look and evaluation of the occurrence or potential occurrence of an information security risk. The assessment process (evaluation of the likelihood and impact for example) doesn’t change, just the outcome.

This requires an organization’s risk management process to be more dynamic than how most structure their processes. Today, most organizations will do a risk assessment on an annual basis and, at best, either update that assessment quarterly or as the risk environment “changes” (where “changes” is typically a nebulous definition, leaving varying interpretations amongst individuals who need to complete the evaluation).

To be dynamic, nimble, and timely in managing information security risks, an organization really should have a Governance, Risk, and Compliance (GRC) tool to enable the risk management process. The tool not only acts as a central repository for risk data, but should:

  • Incorporate external feeds – information from threat and vulnerability scanners, regulatory changes
  • Help prioritize the most critical risks given the organization’s risk tolerance, assets, and other control environment
  • Provide a high degree of configurability to enable end-users to see information related to their function in real-time
  • Align with other risk management function and business practices

Education and communication is also a staple to the risk management process, especially with how prevalence of information security risks. These risks and consequences are the topics that management needs to understand more clearly. Clear communication and transparency about the risk’s implications should be the foundation for the advice the InfoSec team provides when evaluating the efficacy of new business plans and activities to achieve strategic goals. This requires a closer collaboration between the InfoSec experts and the business so that each understands the others activities, points-of-view, and practices.

This doesn’t mean that companies should stop their technological advances and efficiencies. As Gartner stated, it’s impossible to be 100% secure, as that would mean ceasing or limiting new digital business initiatives. Ultimately, management can decide to accept certain risks, and if bad things happen, it’s all about how to detect and respond to them.

So when the InfoSec teams collaborates with the business on possible courses of action, they should not only talk about the threats, but make sure their story relates to the key risks and the measures toward resilience as well as the up and downstream effects on the value chain.

Getting to a Single Version of the Truth

From BWise’s perspective, it was encouraging to hear others speaking “our language”, knowing the solutions we provide are specifically designed to do exactly that: meet both the business and risk’s needs.

The practical and pragmatic nature to managing information security risks is a perfect match with our new BWise InfoSec Solution.

Our solution is designed to:

  • Address the overlap in functionality within the security technology landscape, with no “one single version of the truth”
  • Provide the connection to the business relevance of IT. Our system sits on top of all existing Information Security platforms, policies, procedures, and regulations.
  • Include predefined user level functionality, regulatory reporting, board reporting, audit reporting, and stress testing functions for Information Security across the enterprise
  • Streamline reporting from all systems and gets the right information to the right people, at the right time, reducing overhead spend
  • Aligns with the organization’s overall risk management methodology and framework ensuring an “apples-to-apples” comparison of risk throughout the company

By implementing BWise InfoSec, organizations are no longer dependent on highly technical individuals to translate system output and simplify the information for non-InfoSec executives. As a result of these efficiencies, they’re able to make critical decisions in near real time.

Ladd Muzzy
Ladd Muzzy

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics

Risk & Compliance