Ready for Risk Management?Metrics Help Organizations Assess Their Maturity
When it comes to information security, there are as many ways to go wrong as to go right. That is why, before a financial institution attempts to implement and improve its security risk management process, it must examine its fundamental level of maturity. Is the organization ready for risk management?
According to industry analysts, an organization with no formal policies or processes relating to security risk management will find it extremely difficult to put all aspects of the process into practice. Even organizations with some formal policies and guidelines may still find the process a bit overwhelming. The solution is to take the time to assess your organization's maturity level.
Mike Karp, senior analyst, Enterprise Management Associates, an IT analyst and consulting firm, credits the concept of organizational maturity to Carnegie Mellon Universityâ€™s Capability Maturity Model (CMM). Karp says maturity has to do with building the capacity to make processes repeatable, that is to say well defined and well documented. Ultimately, you want to end up with processes that are vetted and tested so that they are bullet proof -- though perhaps not foolproof, he says.
â€œWhat you need is something you can point to if there is a mistake along the way so you can say â€˜Here is what happened,â€™â€ says Karp.Determining Your Maturity Level
Writing in a recent Gartner publication, â€œToolkit Tutorial: Assessing Risk Posture and Setting Priorities Using a Process Maturity Tutorial,â€ analyst Paul E. Proctor outlines a six-step process that can be used to tackle financial service organization security challenges.
- Develop a Process Catalog which involves gathering existing process documentation or, if necessary, documenting processes for the first time -- then setting priorities within this â€œcatalogâ€ for process formalization and for assigning ownership and resources.
- Assess Process Maturity invokes the CMM model to decide which elements in the catalog are mature and which ones need further refinement.
- Develop a Process-Maturity-Based Risk Report focuses on creating â€œa bridge between process maturity and risk posture.â€ Because there are no absolute standards for security, Proctor recommends setting up a multidisciplinary panel to make these assessments.
- Decompose the Gaps into Projects puts forth an action plan to address security gaps, with projects focused on elements that can â€œmaterially improve the maturityâ€ of a given process.
- Develop a Strategic Plan puts process into the assessment and ensures that purpose and value is communicated within the business.
- Quarterly Reporting provides a schedule.
The report goes on to recommend that implementation be mapped to organization goals. In particular, writes Proctor, you must bring together the right mix of people, and â€œengage your organization in a manner relevant to your...circumstances.â€Other Approaches
Another view of the risk maturity process comes from the International Association for Contract & Commercial Management (IACCM), which has published a report (updated most recently in 2003) titled â€œOrganisational Maturity in Business Risk Management.â€ That report sets out a 12-step implementation process and identifies four levels of organizational achievement: novice, competent, proficient, and expert. The organizationâ€™s degree of competence is measured in terms of four attributes, culture, process, experience, and application.
Organizations at the novice stage tend to be risk averse, lacking in awareness, understanding and commitment and have few working processes in place, little or no relevant experience and no application of any attributes to mastering security. On the other end of the spectrum, expert organizations are proactive -- with an intuitive grasp of challenges and a full commitment to â€œbe the best.â€ In terms of the process, experience and application attributes expert organizations are adaptive, have considerable experience and qualifications and are applying themselves to master security challenges across the whole business.
The IACCM report, available at http://www.risk-doctor.com/pdf-files/brm1202.pdf, provides a number of matrices and questions that support organizational self-assessment.
Finally, The Information Security Program Maturity Grid, authored by Timothy R. Stacey, and developed for a National Institute of Standards and Technology seminar, lays out five the stages of security maturity, which somewhat resemble those in the IACCM report. They are uncertainty, awakening, enlightenment, wisdom, and benevolence.
Stacey offers his own matrices that can help with organizational assessment, and he proposes five measurement categories for gauging improvement: management understanding and attitude, security organization status, incident handling, security economics, and security improvement actions. This article is available at http://www.infosectoday.com/Articles/82-10-40.pdfPutting Maturity into Perspective
With all the available approaches, most of which share common attributes, it isnâ€™t hard to â€œget the ball rollingâ€ on a security initiative. However, notes Adam HonorÃ©, senior analyst at Aite Group, a research and advisory firm focused on the financial services industry, â€œIâ€™m always a little dubious about people going overboard.â€
HonorÃ© explains that, as with CMM, â€œWhen people say they are operating at level 4 or level 5, that means they are spending a whole lot of time on process,â€ which may not always yield proportional benefits. â€œIt really is a common sense issue, no matter what you are bolting on to your organization in terms of methods you have to be smart.â€
Also, notes HonorÃ© ,â€œIf you are talking about self-assessment, certainly many banks are already doing maturity models in one form or another, whether it is within the Microsoft Solutions Framework if they are a .Net shop or perhaps using tools like those from IBM Rational Software.â€ Banks are also doing many workflow processes around data ownership in terms of how records are sourced and updated, who has rights, who needs to have access and who has ultimate control.
For HonorÃ©, it boils down to three necessary components: Make security thinking part of your culture, eliminate data silos, and foster technical accountability. In other words, he adds, â€œUse workflow.â€
Still, he admits, â€œNo one wants to be on the front page all the time like the TJX Companies.â€