|
RISKVUE ARCHIVE | RISK BITES
Shotgun Wedding: The Marriage of IT and Risk Management for Digital Risk Management
By Philip Pierson, founder and manager of e-Sher Underwriting Managers, Irvine, California
“Don’t worry — our network is secure.”
Many CEOs and CFOs are lulled into a sense of complacency by these words from their IT executives. But the reality is that no network can be perfectly secure. Entities such as the U.S. government and Microsoft did their best to secure their systems, but it did not protect them from being “hacked.”
As fast as security experts find remedies for viruses and hacker attacks, cyber outlaws find new ways to wreak havoc through the Internet and corporate network systems. Spending on network security is increasing, which indicates the growing awareness of companies’ liabilities and vulnerabilities. Yet the emphasis is on making networks more secure, not necessarily in looking at the larger, enterprise-wide picture of the digital risk management needed in today’s world.
The Risks of Relying Solely on the IT Department for Digital Risk Management
Executives naturally look to their IT departments with questions about network security. Yet this is not really the role of an internal IT function, which is primarily charged with building networks and databases and bringing applications online. IT staff members are inundated with constant “fix and break” cycles, and plagued by rapid staff turnover and the scarcity of qualified professionals. Poised on the brink of burnout, the IT team is constantly challenged to bring in multiple projects on time and on budget under difficult circumstances.
Quite understandably, when questions of security are raised, the IT staff looks at physical security — firewalls, virus protection, and security policies. There is a focus on the security of the product, not the security of the system. Very seldom do the IT experts examine the full scope of risk that network and Internet security issues pose for the company.
In reality, only about 20 percent of the explicit risk is related to the technology, inventory, and process aspects of the enterprise. The remaining 80 percent is subjective and qualitative — related to organizational structure and roles, organization communication, and behavior.
Yet when the risk manager is introduced into the security issue, IT managers may see this development as an obstacle to completing projects on time and on budget. This attitudes stems from a fundamental lack of understanding of what risk management does.
The Role of Risk Managers in Network Security
The role of the risk manager is to quantify the likelihood of loss or less than expected returns for the company, and find ways to reduce or transfer that risk. Risk management deals with the possibility of loss, the probability of loss, the potential perils (causes of loss), and hazards (characteristics of exposure). Risk is synonymous with exposure. Hence, risk management is the process of using physical and human resources to accomplish certain objectives concerning the exposure (risk) of an organization.
The risk management process identifies, analyzes and quantifies exposure. It then selects the technique or combination of techniques to address each exposure; implements the solution, and monitors, measures and implements changes as needed over time and changing circumstances.
In advance (and hopefully avoidance) of a loss, the risk management objectives are financial protection, reduced anxiety, and the meeting of external obligations and social responsibility. After a loss, these objectives include survival, continuity of operations, earnings stability, social responsibility, and continued growth.
The risk manager strives to protect all assets that may be at risk: financial, legal, market, technical and operational, and regulatory. Risk managers practice due diligence in these eight areas:
(1) Asset analysis — brand and reputation, customers, locations, tangible and intangible, current insurance
(2) Business model analysis ̵ revenue streams and services
(3) Representations and warranties ̵ current, expressed, and implied
(4) External factors identification ̵ regulatory requirements, contract enforceability, international transactions
(5) Internal and external vulnerability assessments — hackers, privacy breaches, theft of information, integrity, distributed denial of service (DDOS), intellectual property infringement
(6) Operational constraints ̵ 24/7 and availability
(7) Technology/platform analysis ̵ hardware and software
(8) Constituency analysis ̵ shareholders, supply chains, customers, information exchanged, sensitivities such as confidentiality, strategic alliances, contracts
In contrast to the comprehensive perspective of risk management, the information technology department is only concerned with one of these areas — technology/platform analysis.
Areas of Network Exposure
The risks and liabilities associated with electronic processes and interactions arise from business activities that ultimately affect an entity’s value and create network exposure. These risks can arise from a number of sources, many of which are not encompassed in IT’s analysis of security, such as:
Locations: remote users, Internet, the corporate LAN, suppliers, vendors, third party service providers, and branch offices.
Connectivity: risks to business continuity, such as an interruption in power supply and/or voice/data line, resulting in loss of data, damage to hardware, and system failure; inability to process orders resulting in lost sales and claims for compensation by third parties such as advertisers and customers/users.
Website liability risks: publication of errors on the website, infringement of intellectual property copyright or trademark links, defamation, errors and omissions in content, inaccurate information.
Hosting risks: copyrights for subscribers that upload or download activities, errors and omissions in server downtime, security on the web page.
Confidentiality liability risks: infringement of consumer privacy, including customer data — consumer information may be divulged; information may be modified; possible theft of customer data.
Infringement of local legislation: lack of awareness of foreign laws leading to claims, products (specifications) may not comply with legislation in a foreign country.
Contractual risks: terms and conditions inadequate or ambiguous, service agreements not covering the use of e-commerce, purchase contracts ambiguous in relation to online contracts.
Strategic risks through contracts and outsourcing: the reliability of partners such as Internet Service providers, distributors, web hosting firms as unknown quantities incorrect decisions relating to contracting out.
Image risks: loss of image as a result of network or Internet failures resulting in future loss of revenue, loss of customers, and additional costs of rebuilding the company’s image.
The skills and experience of both the risk manager and the IT executive must be brought together to comprehensively analyze the company’s e-business vulnerability and take steps to protect the company’s network. The identified risk must be balanced against security practices and specialized insurance that can transfer the remaining risk. These two perspectives most often come together in the finance office, and are brought there by the company’s senior executives who take a leadership role in instilling a company-wide awareness of and commitment to digital risk management.
The Perfect IT and Risk Management Marriage
An enterprise-wide solution to digital risk management needs the support of senior management to create a “marriage” between risk management and IT. This partnership then forms the nucleus of the enterprise family that can raise and nurture the company-wide awareness and protection of systems security. Digital risk management and security impact all areas within a business — IT, finance, human resources, marketing risk management, internal audit, and legal. A coalition of these human capital assets is needed to provide the interdisciplinary framework that can address the complexities of digital risk management in today’s enterprise.
How does this coalition come together? The drivers for the creation of this team are the senior executives of the company. They are the “godfathers” who bring about the marriage of the internal experts who can contribute the expertise that goes into a complete analysis and plan for e-business security. Awareness of and commitment to digital risk management begins at the board and senior management level, and permeates through the existing organization.
In conclusion, all levels of management within an organization must recognize that no organization can meet its business goals without its functional network. The security of that network must be protected to ensure the survival and success of the business. The collaboration of risk management and IT is essential to achieve this security. 
ABOUT THE AUTHOR
Philip Pierson is founder and manager of e-Sher Underwriting Managers, the cyber insurance facility of Swett & Crawford, the nation’s largest insurance wholesaler. e-Sher works in conjunction with leading edge security assurance developers, counselors and intelligence experts to provide policyholders with high quality risk and security assessments and products, to avoid or at least mitigate damage to computer networks and information assets before they occur. For more information, contact Mr. Pierson at philip_pierson@swett.com, 949-477-6646.
riskVue | The webzine for risk management profesionals
May 2002
|
