Information is the lifeblood of business. Valuable corporate data is available to employees, business partners and contractors. It is accessed locally, in the cloud and virtual environments, providing instant access to non-public sensitive information. Making matters worse, employees typically do not ask permission to load third-party software or applications on their laptops and mobile phones -- devices that are connected to their companies' networks and data stores.
The convenience and business value of "information anywhere" comes with risk. While companies want to support devices, software and applications that enable employees to get the job done, they must do so while carefully monitoring and managing business risks related to the use of information and IT.
One solution for information anywhere is "information security everywhere," but this is impractical and unachievable. Organizations need to determine when convenience results in too much risk and what should be done to limit risks. This is a major challenge, especially when you consider that most organizations cannot answer the simple question, "What is our information risk today?"
Also see Bill Brenner's look at how CISOs have evolved toward true risk management in the last five years
Only 8% of organizations can determine what the color of their information risk is today within a day or the same week, according to benchmark research on the state of business risks related to the use of information and IT conducted by the IT Policy Compliance Group. Furthermore, 2% of organizations cannot answer this question at all or the response is delayed by nine months or more; 70% of organizations are unable to answer this question within three months and 20% take between one week and three months. Poorly defined business risk, inadequate gathering of information, ill-equipped reporting systems and un-prioritized controls contribute to these unreasonable delays.
Getting priorities right
The IT Policy Compliance Group found there are significant differences in how well organizations are prepared to meet the challenges of information anywhere and anytime and in the ability to define and manage the business risks. Organizations experiencing the lowest business risks related to the use of IT can answer the color of their information risk today because they have the right organizational processes, controls and reporting systems in place.
These organizations begin by defining the business risk from the top down and then prioritizing them. Risks arise from day-to-day execution of business functions; they include managing cash, sourcing risks, accounts that are deceivable, credit risks, legal risks, market concentration risks, regulatory risks, competitive risks, reputational risks and operational risks.
The most successful organizations are utilizing the skills of multiple departments and functions to both define and manage business risks related to the use of IT. Wider participation of more stakeholders enables organizations to prioritize the external pressures, the business risks, identify the core organizational risks related to the use of information and IT assets and use reporting systems to more effectively monitor, manage and balance tradeoffs between policies, risks, exceptions and controls.
With respect to IT controls and operational processes, companies with the lowest business risks employ several unique practices. Nearly three-quarters of these organizations routinely classify sensitive information assets and identify IT assets with access to sensitive information. Nearly two-thirds consistently maintain an inventory of the locations of sensitive information, detect or prevent the leakage of sensitive information and use information security controls to protect sensitive information.
In addition, the IT Policy Compliance Group found that the rate at which risks and controls are evaluated is very different among organizations. There is a direct relationship between outcomes and the elapsed time between the assessments of risk and controls. The organizations with the lowest risks implement very frequent risk and controls assessments with very short elapsed times between assessments (weekly to bi-monthly), while the rate is quarterly or less frequent among organizations experiencing worse outcomes.
Automation drives better outcomes
The level of automation to gather information and produce reports on information risks and controls is also directly related to achieving better outcomes. Simply put, the worst performing organizations have the least automated procedures and the best performers have the most automated procedures to gather information and produce reports focusing on operational, financial, reputation, headline and brand risks related to the use of IT.
Organizations with the lowest business risks automate the collection of information around IT controls and organizational processes and deliver customizable reports connecting the dots between business risks and the use of information and IT. The IT Policy Compliance Group found that 80% of the procedures to gather information and produce reports about the business risks related to the use of information and IT assets are automated by organizations experiencing the best outcomes.
In contrast, organizations with the most loss or theft of customer data, the most business downtime and the largest difficulty sustaining audit results are automating just 11-12% of the procedures to gather information and produce reports.
Making risks visible with useful reports
Not only are the procedures more highly automated, but more frequent reporting, with business impact summaries, exception reports, priority reports and Web-based dashboards, is more common among organization with the lowest business risks.
These organizations report on business risks by priority, by type of IT assets involved and on a full range of IT controls, especially on IT asset configuration check failures to flag and identify inconsistencies in the integrity of information and systems.
They also include IT effectiveness metrics in management summary reports that indicate the availability of IT service levels, the integrity of IT assets and information, the integrity of financial systems and information, the integrity of customer data, the integrity of sensitive corporate data, as well as the integrity of audit and information security controls.
Research from the IT Policy Compliance Group also shows that organizations routinely reporting on key trends occurring in IT, for instance, changes in Internet security threats and what it means for operating units and business functions, achieve better outcomes. They use this information to anticipate trade-offs between business risks and controls to manage the risks and identify early-warnings to keep information losses, thefts and business downtime to reasonable and manageable levels.
Also read the CSO case study Harland-Clarke rechecks risk management
Knowing what information is going to most assist the CEO, CIO, CFO, division managers, business unit managers, CISOs, IT operations managers and everyone else involved in managing business risks related to the use of information and IT assets, is as important as reporting it in easy to interpret, customizable reports for the different decision makers within the organization. Web-dashboards are the most desired format for managing business risks because they offer advantages such as color-coded risks and drill-down reporting on exceptions, priorities and controls.
Starting to answer the question
Without the ability to quickly and accurately determine the color of information risk, many organizations could discover -- after it's too late -- what the risks were and what information security programs and controls would have mitigated the risks.
Clearly, the eight percent that within one day or the same week can answer the question "What color are our information risks -- today?" are doing things differently; and it's paying dividends. These companies have the highest business service levels, the lowest operating and financial risks related to the use of information and IT assets, the lowest rates of data loss or theft, the least amount of business downtime due to failures occurring in IT and the lowest expense to sustain regulatory audits.
Trying to stop the waves of new powerful consumer devices for employees and business partners from being used is hopeless. Instead, organizations need to focus their efforts on identifying risk owners and risk managers, establishing risk priorities, automating the processes to collect information and produce visible reports that not only connect the dots between the businesses risks related to the use of information and IT, but show value to other senior managers.
Jim Hurley is the managing director of Symantec's IT Policy Compliance Group
This story, "What color is your information risk today?" was originally published by CSO.