Archive for the ‘Risk Management’ category

The Important Links between Culture, Risk Management, and Business Performance

August 24, 2010

Culture—often a microculture within a specific business unit or location or function—is a critical underlying component of the likelihood and severity of business misconduct. Corporate Executive Board research finds that companies with healthier cultures realize numerous benefits:

  • Their employees are two-thirds less likely to see misconduct and much more likely to report misconduct and operational failures.
  • Managers that exhibit corporate values can improve employees’ performance by 12%.
  • Their 10-year total shareholder return outperformed peers’ by 16 percentage points.

Unfortunately, three years of highly detailed data from nearly 500,000 employees at over 100 companies show that company executives have consistently rosier assessments of the health of their culture than non-executive staff. The research shows that nearly 60% of employees do not share bad news and negative feedback because they fear it will negatively impact their careers. Furthermore, employees would forego $1m to $10m in company earnings in order to avoid sharing bad news. Although these results were not specific to information security concerns, IREC believes they can be extrapolated to the security arena.

Culture, properly understood, is a risk control, and a control that impacts much more than just compliance. Making this intellectual leap helps companies understand how best to treat culture: as a measurable phenomenon. That is, critical cultural competencies should be defined, tested, and actively fostered. Companies should start by following these three simple guidelines:

  • Equip managers to deal decisively and consistently with instances of misconduct or unethical behavior;
  • Show the whole employee population—using real instances from the company—how the company deals with misconduct; and
  • Close the loop with employees who report misconduct, so they know that appropriate actions were taken.

Related Research:
Managing the Threat from Malicious Insiders
Preventing Employee Misconduct
Preventing Data Leakage


The Future of Corporate IT: Implications for Information Risk, Part 2

May 25, 2010

We wrote recently about the five trends impacting the future of corporate IT, and the implication of first three trends for CISOs – information over process, IT Embedded in Business Services, and externalized service delivery. In this post we want to continue with the implications for the CISOs for the other two trends postulated in that work.


The Future of Corporate IT: Implications for Information Risk, Part 1

May 18, 2010

Two weeks ago we shared with you findings from the broader IT practice research effort about five trends that will reshape corporate IT functions in the next five years. In the next few posts we want to discuss with you risk and security implications arising from those trends. Here we tackle the first of the three trends postulated by the > future of corporate IT.


The Future of Corporate IT: 5 Radical Shifts in IT Value, Ownership and Role

May 4, 2010

We here at IREC are part of the IT Practice of the Corporate Executive Board. The IT Practice has just released what is probably the most important research we have done in years: The Future of Corporate IT.

The Future of Corporate IT

Our research series on The Future of Corporate IT is based on interviews and surveys with IT and business leaders at over 200 organizations, and on our analysis of business, social, and technology trends. As a result, we find that there are five shifts underway that will radically change how technology is used to create value and how the IT function is structured and managed. These shifts will upend job descriptions across IT management and result in a massive translocation of IT do-ers.


Checklists will not increase your Cloud Computing Security

April 6, 2010

While most members are looking for differences between outsourcing and cloud computing, and developing better assessments to evaluate cloud vendors – a recent discussion between a few IREC members has provided a framework for a different approach to cloud vendors. One of the members in the panel has decided to completely drop the checklist approach to reviewing cloud vendors. He believes that the traditional approach of using ISO 27001 or NIST based questionnaires does not work well with the cloud vendors for a variety of reasons. First most vendors at this time are too new to have the security assessment process down to a point where they can respond to ISO/NIST based assessments. Second vendors are hesitant about putting to paper any information on paper that can leak and reduce their competitive edge in this rapidly growing market. Third the storage of information in the cloud can sometimes make traditional assessment unfeasible – for example Google can break and store your information in 200 different locations in multiple countries making traditional location assessment impractical while simultaneously making it harder for a breached information to be meaningfully used by hackers.   

 This obviously means that CISOs whose companies are moving forward with cloud computing initiatives at this time have to assume a lot of risk  So what shoud CISOs of those company’s do? First have a discussion about security with your cloud vendor. CISOs at first mover companies  have connected their security team with the vendors security team and found that a conversation has allayed most of their fears. Two most cloud vendors have better security controls than anything developed in house. As one CISO said “All cloud vendors are in the security business, one breach and their business is over because hackers will get every companies data. They have a lot of reasons to protect this data.” Finally have vendors buy insurance against your contract so that if a breach does happen and everyone is suing the cloud vendor, the insurance can pay your comapny off.

Obviously these recommendations are more relevant to those security folks who have to move to the cloud now. The consensus from the folks in the call was as cloud vendor’s start getting more mature they will obtain NIST or ISO certifications that can be used in assessments and will also develop better processes to respond to third party assessment requests.

2010 Information Security Outlook

Desktop Virtualization a tool for mitigating third party risk?

March 9, 2010

According to a recent report published by the Infrastructure Executive Council, a majority of 100+ organization surveyed plan to adopt Desktop Virtualization in 2009-2010 time frame. Most members have stated that cost savings are the #1 driver, followed closely by security and mobility. What’s interesting is that over the long run security and mobility might become bigger drivers for adoption as some of the cost savings from hardware and software costs will be balanced by increased costs in the data center.

As of now most members are using the technology for certain categories of workers where there is low need of desktop customization: offshore, contract, outsourced, and call center. Since this is also the group that information risk cares about from a data leakage perspective, this would be a win-win situation for both infrastructure and security teams. We should see even more companies selecting this technology for targeted deployment in 2010.

Drivers of Desktop Virtualization

Should an Information Risk Manager Manage “Risk?”

March 7, 2010

Great Minds Think Alike

This post will summarize a provocative presentation at the RSA conference on Tuesday by long time security practitioner Donn Parker, and detail a similar approach that IREC has been recommending which we call Controls Maturity Assessment (CMA). We have previously referenced our CMA work in this blog, especially in this post. What is provocative about these approaches is that they both suggest making risk assessment a secondary consideration in your information protection strategy. (more…)