Security, Reconsidered

By Allan Alter  |  Posted 08-09-2007

Security, Reconsidered

Business people know risk and return are opposite sides of the same coin; you can't have return without risk. So successful companies learn to analyze, accept and manage risk...most kinds of risk, anyway. When it comes to IT risk, organizations tend to focus on avoiding risk instead of managing it, by preventing intrusions and preparing to respond to catastrophic events. But instead of protecting companies, this approach to risk has blindsided IT to a long stream of IT disasters, from system meltdowns (Comair, Jet Blue) and stolen credit card data (TJX, CardSystems Solutions) to pilfered laptops (Veterans' Administration) and stolen data (U.S. Department of Transportation). Putting IT security back in the context of risk management has been the focus of George Westerman's work.

Dr. George Westerman is a research scientist at the Center for Information Systems Research (CISR) at the MIT Sloan School of Management and co-author, with Richard Hunter, a group vice president at Gartner, of the new book IT Risk: Turning Business Threats Into Competitive Advantage (Harvard Business School Press, August 2007; 256 pages, $35). "When I first joined the Center for Information Systems Research, it was right after 9/11, it was right after these major worms had hit, and different security issues and Sarbanes-Oxley were hitting at the same time," says Westerman. "People kept asking us questions about risk, and we didn't have a good answer on what risk means to the organization." The book is the culmination of five years' thinking and research devoted to IT risk management, and on finding a way to flip the coin and turn IT risk into business gain. CIO Insight Executive Editor Allan Alter asked Westerman what he learned during that past half-decade. The following is an edited version of their conversation.

CIO INSIGHT: Our research studies have found many IT executives believe they take an enterprise risk management approach to security. Do they, or are they fooling themselves?
WESTERMAN: We haven't seen a lot of firms that take a full, holistic view of risk. Risk has four elements we call the four A's: Availability, keeping the systems and the processes running. Access, making sure the right people have information and the wrong people don't. Accuracy, making sure the information we have is accurate and timely and complete. Agility, is IT helping or hurting an organization's ability to make major strategic changes? Yes, IT security is a big element of those four risks, but this holistic view is different from talking about risk in terms of silos like continuity, security and regulations. It means thinking about risk in terms of tradeoffs among the four business risks that are most affected by IT, rather than in terms of silos. While it's very hard for a businessperson to engage in a discussion of the importance of strong authentication or encryption, we can engage the business executive in the question of which processes are most important, and what is the business impact of having an availability problem in this process. We can have similar discussions about access, accuracy and agility. Tektronix, a big electronics equipment manufacturer, wanted to do a major corporate restructuring back in the late Nineties, and it turned out they couldn't: To spin off one of their major divisions, they would have had to give a copy of basically every system in the organization to the buyer. They actually had to put an ERP system in place, spending over $50 million in three years, just to disentangle the system so they could do acquisitions and divestitures. That's a major, major agility issue.

I think we in IT have always known these things, and many of the conversations we have with business executives have been about risk. But because we tend to talk about risk in these technical silos, it appears IT is standing in the way of thinking about security as risk. This is not about failures in IT; IT people ask good questions on risk and try to put good procedures in to manage risk, although we call those procedures standards, governance, architecture. But we often have trouble making our case for investment and changing behavior when we are dealing with the business.

Full, Holistic View

How might a more constructive conversation about risk sound?
WESTERMAN: We talked to a medical transcription firm that went from zero to 3,000 transcriptionists over the course of about six years. They're a highly virtual firm, and they had to replace their backbone IT infrastructure to make this virtual firm work. So they put together two infrastructure plans. One was an Internet-based platform where hospitals could download doctors' voices to the system through the Internet, transcriptionists could download and transcribe them, and ship the transcripts back up again. The other plan called for a hardwired, bulletproof setup with all the kinds of hardware and software protections you would expect.

The management team, when deciding between the two viewpoints, had a holistic discussion of risk. The bulletproof infrastructure was great for two of the risks that should matter most to this firm: availability and access. It's health care data, so the setup had to be very secure. But it was hard to hook new hospitals into it, or use transcriptionists in other countries. In the end, management decided to go for the Internet, even though it meant a little bit of a hit on access and availability risk. If they hadn't thought all the way through to agility, they would have adopted a platform that would have made them more rigid and hurt the company's ability to compete.

Does addressing risk require different capabilities beyond what IT professionals think of as security, in addition to new ways of thinking?
WESTERMAN: There are three core disciplines of IT risk management. The first is the IT foundation: the applications and the infrastructure and the supporting skills. If you are well architected, you are just less at risk. A good architecture is only as complex as it needs to be. So how can we make the architecture only as complex as it needs to be, and make sure we are managing our IT foundation extremely well?

Another core discipline is risk governance: how we identify, assess and make decisions about risk, and then take action and monitor the results to make sure we have done something about it. We don't always think about how to do that with this holistic view of risk. There is this dilemma that the people at the highest levels, who are best able to make priority decisions among risks, are least able to know what risks the organization is facing because they're not down in the details. On the other side, the people who know what risks the organization is facing are least likely to have the enterprise-wide perspective to prioritize risks.

In most organizations an effective risk governance process is highly distributed; the people who are closest to the work identify risks, and higher-level folks can look and make those prioritization decisions. Then the work of mitigating the risks can be sent back down to the people who are managing at the field or corporate level. It's a way to take the distributed knowledge and the centralized perspective and put them together. And having done that, expand the set of risks to talk about to all the risks, not just the ones we typically think about with security.

The third core discipline is having a risk-aware culture. Without it, the other elements will fail. A risk-aware culture has two elements: awareness of what threats they're facing, and how to behave in a risk-aware way. The ability to talk about risk among your peers and what we can do to fix it is a big deal.

Beyond top executive support, how do you create real risk awareness, not just lip service?
WESTERMAN: We did some survey research on risk management mechanisms. It turns out that risk awareness training is the Rodney Dangerfield of risk management; it gets completely no respect. But as it turns out, it's one of the most important things we have. Firms that do risk awareness training actually have lower risk for availability, accuracy, access and agility.

The trick to making risk-awareness training work is letting people at each level know what is appropriate for them to know. Talk to end users about protecting their own access, privacy issues, and how to deal with people outside the company. On the IT development side, talk about how we think about controls, how we make sure we've architected well, and that we have the right security in place. At the very top level, the key element is how to lead by example. Do we ask about risk at the same time we ask about return? Do we talk about funding projects that will reduce risk even though they might not have a huge ROI? The most important thing, though, is that the senior team leads by example and says, here is how we want to think about risk, here are the kinds of questions I'm going to ask regularly, here's how we're going to make those tough decisions, and even sometimes go against our own personal interests in the interest of a less risky enterprise.

It can be hard to assess and agree on risk. How should companies do it?
WESTERMAN: One of the best ways to identify risk is to do, in essence, an internal audit. Hold an internal brainstorming session or get an external IT auditor to help you identify the risks you're facing. Internal folks don't always see the situations that lead to risk, because they're in the middle of them. But eventually we want to get out of that audit-oriented view and imbed risk management into IT projects. So as you go through your basic business case to do a project you think about architectural compliance, data center capacity and other elements, and about what IT is going to do to the operational risks of the firm at the same time. Then you can say whether this project is taking us in the direction of less risk or more risk, and ask what we can do to prepare for any additional operational risks this project may create.

Let's say you do a risk assessment and you find that many areas need improvement. That can feel overwhelming. How do you get started and how do you follow through afterward?
WESTERMAN: We recommend doing business continuity planning in parallel with the IT audit. Business continuity planning requires not only understanding what is going on inside IT, but also what it means in terms of priorities for the business. If a system goes down, what processes are affected and how important are those processes to the business. In the process, we make decisions about, say, our tolerance for downtime on this system versus that system. Those are business decisions on priorities that really need to be made with the business. In addition, business continuity planning talks about when systems go down, which ones need to come up first and in which order. Business continuity planning is a wonderful way to start those conversations about business tradeoffs. But at the same time, do the audits to find the holes we ought to fill immediately.

Many companies run into trouble because risks that seem low turn out to be high, or because they were unable to anticipate risks. How do you avoid these problems?
WESTERMAN: This is a big issue. A lot of that is done through external benchmarking, comparing and measuring incidents you've experienced with incidents other people have experienced, to try to figure out whether your likelihood and impact estimates are correct. It's a matter of taking your assessment and continually revising it. Monitoring what's happening to competitors is also helpful.

3 Core Disciplines of

Access Risks">


Many companies, like TJX, have had credit card data stolen. Using your approach, how can companies make sure something similar doesn't happen to them?
WESTERMAN: This is clearly an access issue. So the way we would look at it is to say, for this access risk, how do the three core disciplines apply? Have we set up our foundation in a way such that external hackers can't get into the information? What are we doing to protect technically the private information in the system? But then we want to go beyond that and talk about, say, credit bureaus that have sold information to the wrong people. That's the awareness side. How can organizations clarify for frontline people what kind of privacy threats are out there and how to diagnose these threats when somebody calls in looking for information? What procedures do we want to check out the people we give information to?

Given the complexity of today's systems, aren't breakdowns and break-ins inevitable?
WESTERMAN: I would like to be able to say that they are not inevitable, but given the complexity, they may be.
So how do we respond when they happen? In the case of the failure of Comair's crew-scheduling system, they had two issues: the failure of the system, and the lack of an adequate backup plan to bring the system back up again. What can we do to detect when a problem is happening? How do we make sure our information is accurate? What do we do when a project runs into trouble? When we have data quality issues, how do we respond? Protection, detection and response: We want to make sure we've got something in all those areas.

Should the IT security function remain part of the traditional IT organization or be part of another function, such as risk management or the legal department?
WESTERMAN: Obviously, having the IT security organization within IT gives it the kind of focus it needs, because the CIO is in many ways on the hook for security, and CIOs understand the importance of investing in security. On the other hand, we need to have links to legal, compliance, and business executives.
It's less important where security resides and more important it's in a place where it has all the links it needs and it can get the funding.

The subtitle of your book is "Turning Business Threats Into Competitive Advantage." How do you turn threats into competitive advantage?
WESTERMAN: There are two ways to do it. When you look at IT risk management as kind of a compliance effort, the value is avoiding certain risks. But if you think about risk management as a capability, you create value in three other ways. One, you have fewer fires to fight, and that creates value because you don't spend resources on the fires. Two, we actually structure IT better and our relationships with the business work better. We can do more, get more bang from our buck. Third is the upside of risk: If we manage risk well, it makes the organization more agile. The organization can take on competitive opportunities other people would consider too risky.

By fixing availability and accuracy we actually go a long way to fixing agility risk, and that's an upside. Looking at the downside of risk creates upside potential for us.