Many companies, like TJX, have had credit card data stolen. Using your approach, how can companies make sure something similar doesn't happen to them?
WESTERMAN: This is clearly an access issue. So the way we would look at it is to say, for this access risk, how do the three core disciplines apply? Have we set up our foundation in a way such that external hackers can't get into the information? What are we doing to protect technically the private information in the system? But then we want to go beyond that and talk about, say, credit bureaus that have sold information to the wrong people. That's the awareness side. How can organizations clarify for frontline people what kind of privacy threats are out there and how to diagnose these threats when somebody calls in looking for information? What procedures do we want to check out the people we give information to?
Given the complexity of today's systems, aren't breakdowns and break-ins inevitable?
WESTERMAN: I would like to be able to say that they are not inevitable, but given the complexity, they may be.
So how do we respond when they happen? In the case of the failure of Comair's crew-scheduling system, they had two issues: the failure of the system, and the lack of an adequate backup plan to bring the system back up again. What can we do to detect when a problem is happening? How do we make sure our information is accurate? What do we do when a project runs into trouble? When we have data quality issues, how do we respond? Protection, detection and response: We want to make sure we've got something in all those areas.
Should the IT security function remain part of the traditional IT organization or be part of another function, such as risk management or the legal department?
WESTERMAN: Obviously, having the IT security organization within IT gives it the kind of focus it needs, because the CIO is in many ways on the hook for security, and CIOs understand the importance of investing in security. On the other hand, we need to have links to legal, compliance, and business executives.
It's less important where security resides and more important it's in a place where it has all the links it needs and it can get the funding.
The subtitle of your book is "Turning Business Threats Into Competitive Advantage." How do you turn threats into competitive advantage?
WESTERMAN: There are two ways to do it. When you look at IT risk management as kind of a compliance effort, the value is avoiding certain risks. But if you think about risk management as a capability, you create value in three other ways. One, you have fewer fires to fight, and that creates value because you don't spend resources on the fires. Two, we actually structure IT better and our relationships with the business work better. We can do more, get more bang from our buck. Third is the upside of risk: If we manage risk well, it makes the organization more agile. The organization can take on competitive opportunities other people would consider too risky.
By fixing availability and accuracy we actually go a long way to fixing agility risk, and that's an upside. Looking at the downside of risk creates upside potential for us.