Key Components of a High-Performing Information Risk Management Program

Although initially driven by specific events and media hype, the elevation of information risk issues to the executive decision-making levels shows no sign of being reversed. While the role and scope of information risk management (IRM) programs continually evolve, there is a broad consensus around its interdisciplinary nature and the need to prioritize policy, governance and execution duties. Organizations that start on this journey ultimately build a pervasive culture of IRM and pursue operational efficiencies through the use of standardized frameworks, tools and technologies.

Creating an information risk management program consists of designing, implementing and maturing security practices to protect confidential information, critical business processes and information assets across the organization. A high-performing information risk management program is one that recognizes IRM is an ongoing business process requiring the support of departments, functions and individuals throughout the organization. Over the years, these programs have evolved from a security operations and technology focus to a more holistic, organization-wide approach involving multiple levels of people, processes and technology. This has led to significant changes in the role and scope of the program and has expanded the portfolio of activities that fall under its umbrella.

Even though information risk is as interdisciplinary as ever, high-performing information risk management programs integrate security as part of the core fabric of the business and are an integral part of their organizational culture. This means organizations infuse the key components of IRM across all dimensions to include the processes, systems, applications, technology infrastructure and, most importantly, their people. The most effective pieces of a program may vary based on the businesses, but a few are widely regarded as being among the most important.

Information Risk Program Management Basics

High-performing information risk management programs focus mostly on mobilizing against challenges just over the horizon. The convergence of consumer and enterprise technologies, the turn toward profit-driven attacks linked to organized crime and the likely onslaught of new regulations put intense pressure on their current portfolio of controls. These programs adopt leading-edge strategies to elicit secure end user behavior and invest in effective technologies. They also seek to improve their articulation of forward-looking risk scenarios to guide business executives into making sound and timely decisions and to maintain visibility beyond traditional IT security and information protection. There are several of the components necessary to achieve these aims:

  • The chief information security officer (CISO). Information risk continues to register on the enterprise radar, with CISOs presenting at least annually to the board of directors, since the scope of the function cuts across traditional silos. In keeping with this, the CISO role leans toward policy and governance while retaining visibility into operational activities or having some operational responsibilities. While policy duties are universal, oversight or involvement in operations is crucial to closing the loop from policy to actual risk mitigation on the ground. Stakeholders ensure that CISOs’ span of control gives them a say in execution and operations.
  • Upward-reporting channels. A majority of CISOs today report within the IT department, typically to the chief information officer (CIO). Whether the CISO should report inside or outside IT is a philosophical question answered differently in each organization. Regardless of formal reporting lines, successful CISOs engage deeply with operational groups within IT as well as with governance and risk management groups such as legal, compliance, physical security, human resources and internal audit.
  • Vision and strategy. High-performing IRM programs create a vision and strategy that integrates people, processes and technology dimensions of information security, all while ensuring it is risk-balanced and business-based, providing clear alignment between business and IT strategies. These programs ultimately create a sustainable culture of IRM by equipping executives, management and employees to make informed trade-off decisions between security and other business priorities.
  • A distributed funding model. A significant proportion of risk mitigation activities is funded and performed by the line of business. High-performing IRM programs seek to devolve ownership of risk mitigation to the business line, except in the case of systemic risks that require centralized solutions. Since security competes with other priorities, high-performing IRM programs articulate the business value of security in loss avoidance or efficiency gains. Stakeholders encourage these programs to estimate the decentralized portion of security spending to aid planning and benchmarking.
  • People making the difference. The typical budget is dominated by operational expenses, of which head count is the biggest line item. While technology is important, the greatest resource used in information security is skilled labor. High-performing IRM programs increase the leverage of their in-house staff by delegating some security tasks to internal or outsourced service providers. While pure security talent is scarce, people with experience in business operations or other risk management functions thrive in security-related roles.
  • Regulatory onslaught. As security regulations multiply and become more prescriptive, programs face the prospect of being mired in multiple overlapping and contradictory compliance efforts and losing focus of the organization’s real security objectives. The only reasonable solution is to rationalize security controls and processes so that compliance with applicable regulations becomes a byproduct of the IRM program.

Risk Identification

IRM programs believe that security threats are mostly predictable, with some pockets of uncertainty. However, these unknowns are concerning enough to prompt attention to the problem of forecasting emerging risks. Innovative tactics work by finding pragmatic substitutes for actuarial data and identifying observable aspects of business operations that can serve as warning signals for likely changes in risk exposure. Some of these tactics include:

  • Tracking threats and vulnerabilities. Although some may think of information security threats as unique and therefore requiring ad hoc tracking and analysis, examination of the high-level threat taxonomies used by IRM programs reveals that a majority of these threats are common to most organizations.
  • Avoiding hindsight bias. Emerging or unanticipated risks account for a significant share of overall risk exposure but often fail to get the attention they deserve. Satisfied with their ability to address known risks, IRM programs invest in monitoring and analysis to identify emerging risks and mitigate them proactively. Stakeholders are more receptive to forward-looking business cases such as those based on avoiding potential harm.
  • Near-miss analysis. By analyzing close calls in addition to loss events, high-performing IRM programs dramatically increase their collection of incident data for understanding threat and vulnerability patterns. These programs learn a lot from uncovering the root causes of security incidents and consistently collecting and analyzing information about near misses. A culture that rewards self-criticism makes this practice more likely to work.
  • Taking hunches seriously. High-performing IRM programs improve their preparation for emerging risks by systematically harnessing the dispersed knowledge of staff to create and test hypotheses about future scenarios. In the absence of concrete data, the “wisdom of crowds” provides significant insight into hard-to-observe quantities such as threat levels. Line staff members are more likely than the CISO to encounter new threats and vulnerabilities in the course of their work. Stakeholders take the collective hunches as sufficient grounds for exploratory investment.
  • Evaluating risks through the lens of potential failure. IRM programs systematically identify all potential “failure modes” — a specific process or asset they could encounter — and evaluates the risk exposure for each failure scenario. Some have traditionally struggled to identify the right unit of analysis for risk assessment, whether it be threats, vulnerabilities or controls. Still, successful programs use failure modes as a systematic means to identify the relevant risks.
  • Searching for leading indicators. High-performing IRM programs track observable representations of the most important risk drivers, such as turnover rates in different parts of the organization, to obtain warning of likely changes in risk exposure. A systematic understanding of the business characteristics that drive risk is essential for proactive threat identification. Employee allegiance and frequency of merger and acquisition activity appear to have a bigger impact on risk exposure than most practitioners suspect.

End User Behavior

Since security will always lag behind new technologies and solutions, IRM programs have to rely on their end users’ ability and inclination to do the right thing to a greater degree than ever before. Although typical programs have always aspired to indoctrinate secure behavior in end users, past efforts relied on an inadequate understanding of the psychological levers of behavior. Analysis of end user behavior suggests that the institution of relatively modest incentives for secure behavior, even limited to praise and token rewards, will have a greater impact on behavior than additional investments in training and communication. There are numerous concepts related to this type of strategy, such as:

  • Moving from awareness to behavior change. Today, most organizations conduct campaigns without a clear understanding of the root causes of end user compliance or noncompliance with security protocols. While these organizations are successful in bombarding end users with training and communications, they struggle to instill a lasting propensity for secure behavior. Most awareness campaigns are based on unstated assumptions that do not reflect the implicit cost-benefit analysis that employees go through to decide whether or not to comply with a policy. Campaigns based on the psychological drivers of end user behavior are much more likely to result in lasting behavior change.
  • Recognizing room for improvement. Even though most organizations have spent a great deal of time and money on awareness campaigns, user compliance with security policies is far lower than it should be. Given the damage that one successful breach can cause and the prevalence of always-on or automated threats, 25 percent noncompliance with basic security policies is cause for serious concern. IRM programs estimate or measure the rate of compliance with security policy as a baseline for future efforts.
  • Tapping into the power of incentives. While incentives are almost as powerful as training and communications, most organizations underutilize them as a lever for behavior change. High-performing IRM programs spend money on incentives since these are cheaper than training and communications and are nowhere near their point of diminishing returns. Stakeholders, especially those in human resources, compliance and legal, should vet proposed incentives for compatibility with organizational culture and competing corporate mandates. IRM programs also find ways to identify employees who exhibit desired behaviors and reward them with praise or tokens of appreciation.
  • Applying effective segmentation criteria. Traditional criteria for segmenting employee populations have no statistical impact on secure behavior. When deploying behavior change efforts to specific roles and levels in the organization, high-performing IRM programs not only tailor the content, but also identify the incentive strategy and communication style most likely to resonate with that group.
  • Using a policy compliance report card. Unexpected roles are among those with the least secure behavior. While some of the usual suspects such as executives or sales workers exhibit low policy compliance, others, like application developers, show surprisingly high compliance with basic policies. IRM programs select roles for targeted efforts based on their level of policy compliance and the amount of harm their behavior can cause.
  • Establishing special strategies for executives. Executives are often less compliant and not as involved in security issues than others, according to the 2014 Ponemon Institute study “Exposing the Cybersecurity Cracks.” These executives are a particular risk, given their access to sensitive information. Paying attention to the behavior triggers to which they are most receptive is critical. Executive assistants typically receive targeted training, but the executives themselves are harder to influence. High-performing IRM programs identify a senior executive who understands security and is willing to serve as an advocate to others.
  • Embracing consistent depiction. Reactive, ad hoc approaches lead to loss of efficiency since typical programs start from scratch every time they have to advise a business partner. If, as usually happens, different biases or assumptions are used when assessing sets of risks or the same set over time, the lack of consistency can damage the program’s credibility. With IRM programs, standardized templates that are tailored to audience, context and type of decision streamline the decision-support efforts and lead to smoother business engagement over time.

Information Protection

The two pillars of typical security architectures are perimeter security tools and identity management solutions. Unfortunately, they are inadequate to protect valuable information from the growing threat of profit-driven hackers and malicious insiders. IRM programs have data-level technical controls such as data loss prevention. Additionally, the use of inconsistent terminology and shifting frames in communications leaves business stakeholders with a confused picture of information risk. By developing standard business-facing taxonomies of risk elements and linking them to standardized visualization templates, high-performing IRM programs help stakeholders build a consistent and correct mental model of information risk while also improving the efficiency of their own risk assessment activities. A few of the most significant areas that should be addressed are:

  • Benchmarking due care. “How much should we be spending to mitigate our information risks?” is the most common question posed and also the hardest to answer. The correct answer would take into account the financial value of the risk reduced by information security activities, but this is not a realistic prospect given the lack of actuarial data and the inadequacy of standard risk modeling tools. Thus, high-performing IRM programs turn to peer spending benchmarks to establish a pragmatic due care standard for legal and reputational purposes.
  • Making meaningful comparisons. More than in most corporate initiatives, the effectiveness of IRM programs depends on factors beyond how much money is spent. Given the overlap between the IRM program and other corporate functions as well as the need for risk mitigation to be embedded in the business line, organizational attributes such as scope of responsibilities and relationships with key stakeholders have a significant impact on the program’s effectiveness. And since IRM programs can differ in their role, scope and organizational location (even among organizations in the same industry), understanding this variation is crucial to identifying true peers for benchmarking purposes.
  • Adopting greater senior executive visibility. CISOs involved with high-performing IRM programs engage more frequently with senior leadership. The elevation of information risk issues to the decision-making bodies of the organization has been one of the most prominent developments of recent years. Senior stakeholders ensure they have sufficient visibility into information risk because executive oversight is a part of the due care standard for data privacy.
  • Developing a policy-leaning portfolio of activities. Policy development, awareness and training and risk analysis are typically owned by the security group, while other security activities are completed collectively with operational or shared services groups. In addition to policy and operational duties, IRM programs are involved in the security and continuity of business processes, and they integrate security into the design and planning of business process redesign efforts.
  • Using governance frameworks. ISO 27001/27002 is the most common general-purpose security framework, but COBIT and ITIL play a significant role in IRM programs. Mapping policies and standards to an industry-recognized comprehensive framework is more important than adopting any particular framework.
  • Harnessing the wisdom of the crowds. The fact that most threats are common across organizations, combined with the insight that information risk practitioners have better-than-random guesses as to their level and direction, allows high-performing IRM programs to use a wisdom-of-the-crowds exercise to aggregate the dispersed knowledge of practitioners into a series of collective hunches.
  • Assailed on all sides. Ongoing business and technology trends create risks that current technical and policy solutions are ill-equipped to address. Since security controls will always lag behind technology advancements, IRM programs rely on appropriate user behavior to mitigate new risks. The shift from amateur cybercriminals to profit-driven attackers linked to organized crime reduces the margin for error on technical controls. To cope with an ever-increasing number of regulations, these programs streamline security processes and workflows so that compliance is a byproduct.
  • Aligning stakeholders. Although cross-functional engagement is the single most important capability for an IRM program, some struggle to communicate the precise service they perform for the organization to their various stakeholders. These stakeholders often have unique capabilities they expect the IRM program to develop and their own evaluation of its current strengths and weaknesses.
  • Closing alignment and performance gaps. Some cases of misalignment will be resolved by communication and expectation setting, while others will require the IRM program to do a better job of incorporating the voice of the customer in strategic planning and prioritization activities. Those areas in which both stakeholders and IRM programs see significant room for improvement form the core of information risk’s strategic plan.
  • Protecting the data directly. Given the unstructured nature of information and multiple leakage channels, IRM programs implement or upgrade their data-level technical controls. The concept of the perimeter is outdated given the ever-increasing presence of suppliers, customers and contractors inside the corporate network, as well as the threat posed by insiders. High-performing IRM programs rely on policies and standards as well as security technologies such as content filtering to protect sensitive unstructured data.
  • Following technology adoption trends. IRM programs have data loss prevention and endpoint security in place while also investing in traditional areas like identity management and application security. With the continued rise of malicious attacks from insiders and outsiders, interest in technical controls that protect unstructured data continues to climb.

Typically, establishing a high-performing information risk management program can take three to five years in large organizations. Maintaining executive commitment and investment for the duration is essential. Carefully choosing a combination of both short-term, low-hanging-fruit projects that emphasize value and longer-term infrastructural and cultural change projects will provide incremental increases in program quality while strengthening executive support. Attempts to build a program can fail because management does not take advantage of the lessons learned from other organizations. Understanding and implementing the key components a high-performing information risk management program will ensure success.

Share this Article:
Brian Evans

Senior Managing Consultant, IBM

Brian Evans, CISSP, CISM, CISA, CGEIT is a Senior Managing Consultant for IBM Security Services and assists clients in building regulatory compliant information security programs. With over 20 years of combined experience in IT management, consulting and information security, Brian has served in the role of Chief Information Security Officer for a variety of organizations and worked in various industries. He has led the Incident Response and Computer Forensic Investigations teams for Nationwide Insurance and was Vice President, IT Risk Management at KeyBank and JPMorgan Chase. Brian held director level positions with CynergisTek and Computer Task Group consultancy firms and started his career in the U.S. Air Force. He has earned a Master’s in Public Administration from the University of Cincinnati and a B.S. in Business Management from the University of Maryland.