Risk management should be proactive
Risk management should play a proactive role in business, rather than a reactive one.
At the ITWeb Governance, Risk and Compliance (GRC) Conference earlier this year, the keynote speaker, Tichaona Zororo, director of EGIT, said it is important that risk management is proactively implemented, rather than event-driven. He said risk management should not be about "patching up holes".
"Many organisations prioritise governance or risk based on reactive measures, responding to an audit or incidents to implement controls," according to Jayson O'Reilly, director of sales and innovation at DRS. "This immediately puts organisations on the back foot and makes it look like IT departments are cost centres and not value centres."
He believes a 'tick box' approach will not mitigate future risks, and always leaves organisations playing catch up. "Following a proven methodology of risk management will empower organisations to demonstrate true cost savings even though there may initially be a consulting investment required upfront. At a recent global risk management event I attended, experts in the risk management field were able to show an increase of 25% on an organisation's share price through the implementation of a risk management process across their business," he says.
Warren Olivier, territory manager at Veeam Software, agrees a proactive approach is essential for a sound GRC strategy. "You need to test that you can actually restore service from your backups - or you're living with a false sense of security. We've seen people lose months of data because they were backing up undiscovered errors," he says.
"It is vital that risk management is proactive; a business cannot rely on event-driven implementations," states John McLoughlin, MD of J2 Software. "If that was the standard approach, there would be time for nothing else. You simply cannot run around putting out the fires, and the adage 'prevention is better than cure' is especially relevant in this regard."
According to Paul Stafford, business development manager at Mimecast, our market has typically been less mature than global first world averages around the implementation of effective risk management measures. "Whilst risk management is well understood at an executive level within our economy, the capability is quickly lost as you dig deeper into the lower levels of organisations. Appropriate orientation and training is a challenge that few organisations have conquered, leaving the greater workforce unequipped to assist with risk management," says Stafford.
Hedley Hurwitz, MD of Magix Security, also agrees a proactive response is best, but explains there is a critical element missing and that is the importance of the 'real-time response'. "While it's admirable that a culture of risk awareness is going to be inculcated and that risk management is going to be proactively implemented, nothing will work effectively without real-time visibility, monitoring and responses to issues or events. The instance an event or trend is identified, predefined processes should launch automatically to protect the company, its brand, finances and employees," he says.
Risk awareness culture
Also the ITWeb GRC Conference, Zororo mentioned that it is the duty of the board to make sure an appropriate culture of risk-awareness exists throughout the organisation, and see to it that there is recognition that management of risk is essential to the successful execution of the company's strategy.
In order to successfully implement risk management into an organisation, McLoughlin believes it is a necessity to ensure that a company's users are the first line of defence. "It is imperative that users become the guardians of the organisation's information," he says. "The correct and effective enforcement of a comprehensive risk management strategy must start from the executive level. In order for a company to thrive, it has become a modern-day necessity to ensure that ICT GRC becomes a part of the very essence or DNA of the organisation. This will ensure long-term information security and business sustainability."
You need to test that you can actually restore service from your backups - or you're living with a false sense of security.Warren Olivier, Veeam Software
According to Hurwitz, depending on users to mitigate risk without systems to guide and govern their actions is unrealistic. "Risk management can only be integrated into an organisation if it is endorsed by the C-suite and implemented rigorously," he says. "If a company chooses to implement risk management as a standalone silo, or a set of guidelines that they expect users to adopt without checks and balances in place, they are likely to see little benefit."
O'Reilly believes too many South African organisations practice bits and pieces of risk management. "This is not filtered all the way through the organisation, which means politics is rife in the decision-making process when considering what mechanisms need to be employed to mitigate risks. Finding a key stakeholder who has the overall responsibility is extremely difficult, even though someone may carry the title 'risk manager/director'."
According to Olivier, looking at change management/workflow and getting a change control team in place to sign off on all changes to the data environment before they're implemented could help. "If something was changed without any approval, they could look at why and how, to prevent disasters. Known as virtual machine life cycle management, a change control team could comprise people from capacity planning, hardware and procurement to incorporate the whole life cycle of an application," he says.
Appropriate training at the various levels of business, with sensitivity to the complex matrix of industry vertical needs, backgrounds, cultures and education levels can help build a culture of risk, according to Stafford. "There are a wide array of innovative methods available to deliver this message. The message needs constant reinforcing and needs to be backed up with IT and process controls to measure and account for departures," he says.
In order to ensure successful GRC implementation, McLoughlin once again reiterates the importance of achieving top-level executive buy-in. "This will only work with a tailored, user-friendly and 'live' information security policy document enforced via a combination of automated electronic tools," he explains. "Computer-based solutions and ongoing training is the most powerful method of training staff about the information security policy, increasing awareness of risks and ensuring adherence to policies. No amount of technology will entirely obviate human error; but these solutions can go a long way in minimising this risk."
He also believes improving communication between the board of directors, compliance and IT departments in organisations is an important factor in lowering the risk portion in any business.
The adage 'prevention is better than cure' is especially relevant in this regard.John McLoughlin, J2 Software
According to Hurwitz, companies that want a successful GRC implementation must ensure that processes are visible, can be monitored consistently, and in real time, and that they can react timeously to all threats.
"Test, test, test... practice makes perfect," explains Olivier. "While you can't guarantee complete immunity from a disastrous outcome, the more you test your GRC systems and responses, the more waterproof they will become."
Many businesses need to simply make a start, according to Stafford. "Like many disciplines, the smaller changes can cover a large portion of the risk. Companies can start with parts of the business that see the highest levels of data communication and can fairly easily put controls, awareness and exception management in place, such as e-mail."
Information risk challenges
When it comes to challenges companies face, McLoughlin believes the biggest risk is still the users in the organisation. "According to a number of recent studies, the 'insider threat' has become the most feared information security risk in most organisations today," he says. "Regardless of the technologies and software solutions that an organisation may deploy to mitigate the risk of information security breaches, the critical factor is always people.
"Another problem that I have identified recently is that the constantly changing legislation all too often brings about compliance fatigue," McLoughlin continues. "This seems to develop into negative sentiment towards GRC throughout the process. Outsourcing and bespoke legacy applications that may not have information security factored into them may also be overlooked from a compliance perspective due to a lack of in-house expertise or avoidance of additional cost," he says.
According to O'Reilly, there are very few organisations that assist clients in delivering a compliance standard that is relevant. "It's usually a complicated framework that has no real meaning to the people who run the business. I would encourage finding a partner that focuses on the business requirements involved to ensure deduplication of frameworks, making it impossible to become overburdened by the constant requirements of governance and compliance," he suggests.
Olivier believes the biggest information risk challenges to a company is the loss of its own data, and perhaps eclipsed by that of losing its customers' data, which is now punishable with fines under POPI legislation.
"Adding to this, having unplanned and unscheduled downtime can be crippling to a business," he says.
There are two forces at play that bear consideration here, according to Stafford. "On the one side, the law, governance and general awareness of the value of information is crystallising for business. On the other hand, users are becoming more aware, enabled and demanding.
"If IT does not provide me a solution, I will simply provision one myself from the maze of available services being driven by cloud app stores and mobile computing. Controlling the boundaries of consumer services and corporate services is becoming very difficult. The location and access of business data has been through a recent revolution. Solutions now need to cater for mobile access, without weakening security, access control and chain of custody," he explains.
The biggest risk most companies face, according to Hurwitz, is the inability, or lack of will, to practically implement risk management in a manner that actually results in mitigating risk. "Strategies and documents only satisfy regulatory requirements for risk management. Real risk management requires visibility, monitoring and the ability to react timeously," he concludes.