ARTICLE IN PRESS

>computer law & security report xxx (2006) 1 7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Risk management Beyond compliance

BearingPoint, Florida, USA

abstract

Threats today are much more exible, stealthy, and dynamic than they have ever been. Current efforts by IT professionals and risk managers have had little impact in the mitigation of these threats. When you combine this trend with a renewed focus on protecting soft assets such as intellectual property and reputation, a new approach is needed that swings efforts. Building risk management responsibilities into each of the employees job descriptions, and holding them accountable is the rst step in the process of combating todays threats. Risk managers and security professionals must also understand that by taking agers to ensure that everyone is doing their part in the organizations risk management effort. Compliance is no longer feared by those that it affects, but is turned into a byproduct of a greater effort to effectively match competencies against organizational objectives, resulting in a risk management effort that actually reduces mitigation costs and increases a holistic view of organizational risk, they can effectively work with human resource man-

RR

effectiveness.

EC

The nature of cyber threats over the last 10 years has become much more dynamic than in the past. Previously, when threats were successfully repelled, it took days, weeks, or even months for threats to regroup and rethink their approach before trying again. During this time organizations had the time to analyze what worked and what did not work in their risk mitigation strategy. That is not the case today. New strains of viruses can be morphed and new attacks begun in a matter of hours, not days. Hackers work in loosely organized groups from numerous locations around the world, successfully hiding the origin of the attack. Organizations spend anywhere from $247 to $643 per employee1 on computer security, not an insignicant amount of money.

1 CSI/FBI Computer Crime and Security Survey, 2005. 0267-3649/$ see front matter 2006 Bill Woloch. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2006.01.008

UN

CO

1.

Introduction

CLSR4140_proof 1 February 2006 1/7

TE

the pendulum back toward the computer user as an active participant in the risk mitigation

DP

2006 Bill Woloch. Published by Elsevier Ltd. All rights reserved.

Todays threats are much more dynamic and adaptable than in the past. IT tools help the bad guys as much as they help the good guys. This situation is far from balanced. The bad guys have the advantage. Loose confederations of hackers, or even government sponsored cyber threats leave few if any trace of their origin or of the security event itself. Added to the challenge of locating remote threats, we are faced with the ongoing problems involving insider threats. Statistics have repeatedly stated that 70% of security events involve insiders to accomplish their attacks. Risk and security professionals in turn rely on IT based tools to ush out these perpetrators, often without much success. Let us take a moment to discuss one of the most prevalent forms of dynamic threats, that is, insiders. What motivates them, what related events impact the number of insider assisted security events in an organization? IT security professionals have felt topics such as this are in only their domain. Take the recent example at Hollinger International.

RO

Bill Woloch

OF

New dynamic threats requires new thinking Moving beyond compliance

58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114

ARTICLE IN PRESS
2
>computer law & security report xxx (2006) 1 7

115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171

The Securities and Exchange Commission may charge directors who served on Hollinger International Inc.s audit committee for allowing an alleged fraud to take place under their nose, according to Bloomberg, citing two people with direct knowledge of the matter.2 The Federal Government is taking directors responsibilities seriously, yet how do directors, executives and managers ensure that insider threats are minimized and eliminated? The issue becomes even more critical when you examine the large gaps in mitigating risks of soft assets such as reputation and intellectual property. Organizations are nding that these assets are an important part of their market capitalization, and are often not insurable. Conversely, problems like off-shoring, downsizing, accidents, work place violence and more are typically seen as human resource problems, which sometimes require the help of other departments like physical security or the safety department. The two viewpoints are actually not mutually exclusive. Over the last few years, different parts of organizations have begun to see the direct and indirect impacts that computer related threats have on the organization as a whole. Dr. Paul Viollos, President of Risk Control Strategies, recently stated that insider actions involving the dissemination of computer viruses or IT equipment sabotage are considered a form of work place violence. Similar views are held by other experts in related elds. Dr. Viollos is frequently interviewed by major news outlets and most recently has had teams in place in New Orleans investigating assaults at the Superdome. Dr. Viollos commissioned a study on the effects of work place violence and the results showed that for a public company, one instance of publicized work place violence, causes a companies stock to go down 15% for an average of 250 days. When we think about the value of any particular company today, the numbers can add up to hundreds of millions of dollars. Remember, work place violence includes insider threats to network systems. Downsizing and off-shoring also motivate insiders to pose threats to a company. Sabotaging servers, introducing viruses, destroying critical data, are all real-world malicious activities performed by insiders and/or remote threats. All of a sudden, the relationship between dynamic threats and insiders becomes much clearer. It is not to say that all insider threats and dynamic threats in general are related to work place violence, but when you combine the other human resource problems we mentioned earlier, the picture we see is one that the CIO, CSO, and security department cannot successfully mitigate the threats faced by organizations today. Todays enterprise risk management approach promises to break down the organizational silos and facilitates the mitigation of threats and at the same time continues to use compliance as part of the risk management solution. By taking a holistic view standards, frameworks, and metrics are still being used, and compliance is a byproduct of level of effort. Meanwhile threats and vulnerabilities monitored in near real-time, and mitigation were continuously implemented.

Let us examine the role static and dynamic security systems play in todays new threat environment so we can better understand the role internal controls and compliance play in risk management and security.

2.

Static and dynamic security systems

RR

Security systems can be classied as one of two categories, static or dynamic. Dynamic systems are just what the words say they are adaptable, exible, resilient, and elastic. They rely less on technology and more on people. Dynamic systems do not need additional programming and new costs each time the threat and situations change. They are also the most expensive. People are not cheap, yet it has been proven time and time again you get what you pay for. Technology should be viewed as an enabler to dynamic systems instead of a replacement. Static security systems, as the name implies, can be characterized as being rigid, difcult to modify and inexible. A concrete barrier or gate once installed can change little to defeat changing threats. The same holds true for technology. Software and hardware upgrades come out periodically, yet the threat is constantly changing. Look at the vicious cycle of hackers and IT security software. Each time a new version of a tool is made available for sale, hackers nd and exploit the weaknesses. The software companies x the weaknesses, and the hackers nd new ones. The cycle never ends. Technology cannot take the context of a threat situation and make decisions. People can. Yet many organizations spend millions of dollars on technology-based security solutions, only to discover that they still have vulnerabilities. Used properly, technology does close vulnerability gaps by enabling people to do their jobs more effectively in protecting assets. How many terrorists or criminals are located and captured by technology alone? It is the people who use the technology that protects us against these threats.

CO

3.

Security system design

http://select.nytimes.com/gst/abstract. html?resF20F17F834550C768DDDAB0994DD404482.

All security systems have weaknesses. When technology is introduced into a security system, its weaknesses are much more difcult to discover and protect. User interfaces hide the complexity and vulnerabilities of technology security solutions. Designing security systems requires testing against a number of threats to nd new vulnerabilities. The testing is performed each time a new component is installed and before the threat strikes. Thus the security solutions weaknesses are discovered (what made them fail) and adjustments are made accordingly to protect those weaknesses. We are also less prone to fully test complex systems to determine their weaknesses resulting in insecure systems that may be more vulnerable because of the new component. For instance, over the last few hundred years, prisoners sit in their cells all day, every day, using plastic utensils to destroy door hinges, locks and anything else that they can nd. They have the time and opportunity to discover and

172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228

UN

CLSR4140_proof 1 February 2006 2/7

EC

TE

DP

RO

OF

ARTICLE IN PRESS
>computer law & security report xxx (2006) 1 7

229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285

4.

Compliance based approach

 cyclical (time based) metrics are designed to be reviewed over a long period of time (quarterly, annually);  fear of failure grading systems force organizations to focus on the metrics for each period and not necessarily longer term solutions that may be more cost effective;  organizational silos are sustained, because each silo (nance, operations, human resources, IT, internal audit, etc.) has different metrics based on different standards. Along with this sometimes zealous focus on compliance comes the periodic and cyclical approach to risk that uses

UN

Despite the new paradigm of dynamic, adaptable threats, many organizations still use the same approach to risk mitigation they have used for years. They have a small cadre of experts (accountants, IT security and physical security experts, and others) who are tasked to mitigate risk. The challenge they face is monumental because the executives for whom they work have given them the charter of compliance, compliance and compliance. A compliance based approach to risk management can be characterized as being:

RR

EC

attempt to defeat the protection against abuse in all prison cell components. Modern prison cell construction uses pre-cast concrete, doors with minimum clearances and tempered steel construction. The same holds true with technology. The difference is that unlike the prison cells which can be inspected daily for tampering, tampering with technology, sic. Hacking; is much more difcult to discover and defend against. User interfaces designed for ease of product use hide complex systems underneath. These systems have vulnerabilities that most organizations do not and many times cannot detect. Testing for vulnerabilities in technology-based security solutions is minimal at best. Consider the testing done on a bullet-proof vest. The prototypes and production units are initially tested in labs replicating real-world conditions. They are also tested by actual use in the eld. On the other hand, a new technological tool is developed and tested even in the clients labs. Very few end users continue to test once the solution is implemented. This lack of eld testing gives threats the opportunity to exploit vulnerabilities unknown to the client. Security systems can also fail at the edges. The edges are where different security system components meet each other. For example a blind spot between the two cameras or an access control system and its interface to the human resource database. Technology-based security systems can also be successfully attacked just because they exist. For instance, once hackers nd a vulnerability in a popular technology-based security tool, they can exploit the same vulnerability against hundreds of companies that use the same tool. Well-designed security systems are centered on people, and utilize technology to maximize the value people bring while adding minimal new vulnerabilities inherent in the technology itself. A wall or locked gate will not stop threats; it is the people behind them who are the deterrent.

CO

CLSR4140_proof 1 February 2006 3/7

TE

DP

.In a compliance-based conicts of interest system, laws and regulations prohibit specic interests and conduct. .This approach offers one substantial benet: it gives clear guidance to public ofcials on what actions are permissible and what actions are not. This approach, however, contains two overwhelming drawbacks. First, it transforms correct government conduct into a series of rules. As a result, a compliance-based approach is divorced from those values and ethics that promote a public service that is not merely non-conicted but that is afrmatively devoted to advancing the public good. Since in a compliance-based system what is not prohibited is allowed, that system invariably focuses ofcials attention not on doing what is right but on not doing what is wrong, not on doing ones best but on not doing ones worst. Second, as a related point, a compliance-based conicts of interest system cannot promote the essential values of the nation because rules are negative whereas values almost invariably reect positive and aspirational principles. Rules do not inspire. Values do.

Professor Davies makes the point that compliance intones ` a do not do this approach to conicts of interest vis-a-vis risk management instead of a pro-active, values based approach. The inspiration he speaks about is the fuel for a dynamic risk mitigation approach which relies on people and technology equally. Dynamic threats require a dynamic response. What is needed is a different approach to risk management that creates a self-perpetuating, near real-time mitigation strategy that requires everyone in the organization to mitigate their
A Practical Approach to Establishing and Maintaining A Values-Based Conicts of Interest Compliance System, page 9, by Professor Mark Davies, Adjunct Professor of Law, Fordham University School of Law.
3

RO

static snapshots to determine an organizations ability to defend against threats; often performed on an annual basis to comply with the latest standards and frameworks. Many times the compliance approach holds individuals accountable, but there is little granular measure as to the extent of compliance. Metrics are often designed to determine whether some process or task is being done or not being done at the individuals level, leaving a gap with regards to the extent of compliance. All of these efforts work within a time dimension (annual tests, reviews, updates), which support the compliance mentality. How does this compliance approach to risk management facilitate the organizations ability to actively defend itself against a dynamic threat that can quickly adapt and re-attack in hours? Professor Mark Davies3 of Fordham Law School has written on the topic of compliance based conicts of interest issues. His thoughts clearly delineate the advantages and drawbacks of a compliance based system which is directly applicable to risk management and security:

286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342

OF

ARTICLE IN PRESS
4
>computer law & security report xxx (2006) 1 7

343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399

portion of the risk management universe. Like molecules in science, where the sum of the parts is greater than the whole. Using this new model of thinking, organizations develop a new risk management strategy that counters the threats ability to rapidly adapt. This viewpoint and subject of this paper, run counter to the popular thinking that people are the weak link in security and technology can reduce risk despite people pasting their passwords on their monitors. While there are certainly many security incidents that involve carelessness, mistakes and even direct threats from insiders, many of the tools that support network security efforts on the users end, tend to be cumbersome and difcult to use. Often because of lack of funds, the proper tools are not procured, resulting in work-arounds. Usually there is very little, if any training of individuals regarding security and risk management in an organization. Security is viewed as a necessary evil that does little to add to the bottom line. No wonder, users and IT security professionals are frustrated. IT security experts today rely on a number of products, standards and processes to accomplish their security identication and assessment tasks, and provide their recommendations to CIOs and other senior executives. Yet when closely examined, this process needs to be periodically repeated to provide and sustain any value to the organization. This approach also costs organizations thousands of dollars, tying up valuable resources each time the review is performed. Standards, frameworks and metrics are always evolving, making it more difcult for the security professional to provide a solution roadmap to their organization that does not require another assessment in a year or so. Traditional and enterprise risk management both rely on some form of veriable measurement, most often relying on differing standards, frameworks and metrics; usually within a cyclical time frame dependency. Risk managers and IT security professionals tend to rely heavily on static defenses. These include a host of IT tools that are modied annually as versions. Certainly virus denition les are updated hourly, but still cannot react in a real-time, dynamic manner against todays rapidly adaptable threats. Risk is a slippery slope traveled by many, and purported to be understood by executives. However, get two risk management experts in a room, one nancial and another IT, and all of a sudden they are unable to discuss risk. They each put risk in a different context, using a different vocabulary, denitions, metrics, processes, and standards, this occurs because of the silod, compliance based mentality we all have today. Ask each of them to list the overall risks to the organization, and their lists will contain different items and will vary in length. This conundrum regularly results in different viewpoints that do little to provide executives a comprehensive risk prole on which to base decisions. Even the formula for risk is different for these two risk managers.

5.

Enterprise risk management

To address the issues we have presented so far, executives and risk managers have begun talking about issues such as risk prole and enterprise risk management as solutions to these complex issues and problems. CIO magazine denes enterprise risk management4 (ERM) as: . the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organizations capital and earnings. Enterprise risk management expands the process to include not just risks associated with accidental losses, but also nancial, strategic, operational, and other risks. No where in this denition do we nd the how to assess or mitigate against dynamic, adaptable threats. Enterprise risk management also relies on a compliance based approach to risk. As we have discussed earlier, this traditional approach to risk does little to enable organizations to dynamically protect their assets and vulnerabilities against todays loosely knit and dynamic threats.

6.

Holistic approach

CO

RR

A holistic approach to risk management can be dened as not only the management of all risks in an organization, with consideration to all risk interdependencies, but also the integration of risk management itself into the organization, its processes and culture. It focuses on the effect each of four elements of risk if broken out organizationally (nancial, physical security, health/safety, IT/technology) have on each other. Paying particular attention to the impact hidden technology weaknesses have on the other three areas and the internal controls of an organization. Therefore, holistic risk management is not only aligned with traditional views of risk, but with the overall impact on the success of the organization in achieving its overall goals from a value based perspective. Professor Davies again discusses the benet of such an approach. . The second approach to a conicts of interest system is values based. A values-based conicts of interest system exhorts public ofcials to strive for and attain certain standards. .Properly crafted, this approach clearly promotes essential national values. It also encourages the ofcial always to strive toward an ideal, not to do the ethical minimum but to do the ethical maximum. Such a system properly deserves the name not merely of a conicts of interest system but of an ethics system, for by professing values, not merely rules and regulations; it inculcates in public ofcials ethical standards. But a values-based conicts of interest system possesses one devastating drawback: it provides no clear guidance to public ofcials as to what is and what is not permitted in actual, real-life circumstances and thus also

 Financial risk managers use sophisticated computer models to calculate risk.  IT professionals use the Federal Government denition likelihood impact risk.  Other risk managers equate risk with threat vulnerability asset value.

http://searchcio.techtarget.com/sDenition/0,,sid19_ gci508983,00.html.

400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456

UN

CLSR4140_proof 1 February 2006 4/7

EC

TE

DP

RO

OF

ARTICLE IN PRESS
>computer law & security report xxx (2006) 1 7

457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513

offers little reassurance to the people that their public ofcials are in fact acting in the public interest. A holistic approach to risk management relies on everyone in the organization to identify and assess threats and vulnerabilities and help in risk mitigation as part of their job and organizational culture. Creating a values based system in an organization where the sum of the parts is greater than the whole. Individual risk responsibilities are built into all job descriptions and reinforced by being included in performance reviews and individual goal setting; in other words, individualized metrics. A persons ability to keep their jobs will depend on the knowledge and skill they have in performing their duties while managing the risk that comes with it. They will be rewarded when they succeed, and even red, if they fail to manage their portion of the organizations risk. Guidance on what not to do still comes from compliance requirements. But compliance is now a byproduct of risk management because the fear of failure in a traditional time based (cyclical) compliance approach is considered secondary to peoples desire to manage their part of the organizations risk on a day-to-day basis. HRM is an integral part of the culture of the organization; resulting in continual real-time risk management that is self-sustaining and self-healing; and which is being practiced by everyone in the organization. Compliance is a byproduct and not a goal, and since risk management is integrated throughout the organization, time is no longer a dependency, because risk management is being performed by all of the organization members, at all levels on a real-time basis. The risk of failure and deadlines is contained within the normal working parameters each person in the organization already faces on a day-to-day basis, so energies can be focused on organiza` tional goals, vis-a-vis, sustainability and prot. Enterprise risk managers argue that ERM does many of the things a holistic approach espouses, yet the denitions of both bare little similarities. Fig. 1, below summarizes the differences. The compliance based approach used by the traditional and enterprise risk management professionals rely on a formal internal controls structure which supports a cyclical (not real-time) process (formal control involves monitoring, reviewing and reporting as in a traditional commandcontrol style process based on organizational hierarchy). A holistic approach uses inherent controls, which occur continuously and consistently throughout the organization as part of normal business practice and to a large extent self-sustaining. Elements that contribute to an inherent control system include systems thinking, developing a learning organization, motivating trust and relationships and matching competencies with objectives. Inherent controls promote:

 developing a learning organization;  matching competencies with objectives. The differences between the cyclical compliance based approach and the self-sustaining approach are summarized below: Traditional and ERM Holistic risk management approach(periodic and approach(near real-time) cyclical)

EC

TE

UN

CO

RR

 purpose;  capability;  commitment. And are described by:  motivating trust and relationships;  systems thinking;

CLSR4140_proof 1 February 2006 5/7

DP

 Compliance mentality  Periodic repeated compliance audits are necessary  Competing and differing standards, frameworks, metrics perpetuate silo mentality  Differing viewpoints  No overall risk prole  Not my problem attitudes

 Standards, frameworks, and metrics still used, and compliance is a byproduct  Threats and vulnerabilities continuously monitored and mitigation continuously implemented  Cultural change minimizes silo mentality toward risk management  Risk management mind-set perpetuated throughout the organization

Fig. 2 below summarizes the differences between the cyclical compliance based approach and the self-sustaining approach.

7.

The last mile

Any time an organization uses compliance based approach to problem solving, efciencies are limited and new ideas often are suppressed. Educators have complained for years that because of federal education guidelines, schools now focus on teaching the test to get high school students to pass the required competency exams, instead of preparing children for adulthood and teaching the skills they will need in college. The same holds true for risk management and security. Moving away from a compliance based approach to a more holistic or integrated approach, brings the focus where it needs to be, on the problem and not compliance. In return, the organizations risk management efforts will become more effective and in the end self-sustaining, because it becomes a part of the organizations culture, and is woven into the fabric of the day-to-day activities throughout the organization. The benets to moving in this direction include:  reduced operating costs (less money spent on problems such as work place violence, insider threat detection, etc.);  number of security events reduced (insiders aware of new culture, with more eyes watching);  management and employee risk management expectations more closely matched;  less nger pointing when things go wrong;  ownership of risk is where it should be, each person responsible for their part.

514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570

RO

OF

ARTICLE IN PRESS
6
>computer law & security report xxx (2006) 1 7

571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627

Roadmap to Holistic Risk Management

Traditional RM Internal Controls
CEO Intrenal Audit

Enterprise RM Internal Controls

Formal Formal Reporting More Less

Holistic RM Internal Controls

Finance

Operations

IT

HR

Employees

Less

Cyclical
. Differing Standard
Cyber Standards NIST (CSEAT) Federal Government Standards GAO FEMA CIAO GSA/PBS Commercial Standards SCADA ASIS ASTM NFPA 5000 NFPA 101 ANSI BUILDING CODES International Standards IEEE/OSE COSO AS:4360

Cultural Change

RO

Focused on regulatory and financial requirements Little communication between departments

Cross-enterprise risk identified Coordination across business units for

more effective mitigation

Controls

More

Encourages organizational silos

Awareness of risk increased

OF

Silo

Silo

Silo

Silo

Inf or ma tio n

Reporting

Reviewing

Reviewing

Complete/consistent risk information Common risk language established Shareholder value protected/enhanced

Inherent

Inherent

Real Time

Steps to Holistic Risk Mgmt.

1. Establish baseline (Assessment) 2. Gap Analysis 3. Policies and procedures review and adjustment 3. Involve Internal Audit & HR from the beginning 4. Education of executives and their subordinates 5. Get the message out / walk the talk.

Inherent Controls
Inherent controls promote: Purpose Capability Commitment Described by: Motivating trust and relationships, Systems thinking, Developing a learning organization, Matching competencies with objectives.

8.

Getting there

Executives can begin to move down the road to a less compliance based and more holistic approach to risk management and security by relying less on formal controls and more on inherent controls. This migration must include executives, managers, internal audit and human resources to match

UN

The benets do not come for free, as with any effort, there are obstacles to overcome. However, by capitalizing on the new involvement of the human resources department and internal audit to ensure everyone in the organization understands their roles and responsibilities regarding risk, the organizations efforts become more value based instead of compliance based, resulting in a more effective risk management effort.

CO

RR

EC

Fig. 1 Roadmap to holistic risk management.

individual competencies to organizational objectives. This process can be started by taking the following steps: establish baseline (assessment); gap analysis; policies and procedures review and adjustment; involve internal audit and human resources from the beginning;  education of executives and their subordinates;  get the message out/walk the talk.    

9.

Conclusion

Todays reality includes dynamic threats, which are many times hidden from view, and may belong to loose

628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684

n on iio at iica un m m om Co

&

CLSR4140_proof 1 February 2006 6/7

TE

DP

ARTICLE IN PRESS
>computer law & security report xxx (2006) 1 7

685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741

Holistic Risk Management is Self-Sustaining

Traditional & Enterprise Risk Mgmt. Holistic Risk Mgmt.

Identifying the new threats - and opportunities-from global sources. Adequacy of existing security policies tools, and infrastructure to protect vulnerabilities. Silo response to incident response and business continuity planning to mitigate risk.

Reporting

Reporting

Reviewing

Reviewing

Fig. 2 Differences between the cyclical compliancebased approach and the self-sustaining approach.

confederations or even hostile governments. Risk management and security professionals have been ghting a valiant battle against these threats. A holistic approach to these issues seems to embody all the characteristics that organizations would want in combating todays dynamic threats. Though not a substitution for technical mitigation strategies; taking a holistic view offers (the last mile) to be necessary to see risk mitigation efforts become fully realized. The holistic approach provides the near real-time and self-sustaining capability by its very nature to allow risk management metrics to be collected, analyzed and applied against the problems traditional enterprise risk management cannot alone solve. Soft assets are further protected by everyone taking responsibility for those assets that traditional insurance policies cannot replace. Furthermore, by encouraging an inclusive policy that holds every person in the organization accountable to manage their portion of the organizations risk, organizations can begin to mitigate the risks brought by new dynamic threats. Costs are reduced, because the formal controls previously in place (at considerable cost) can now be reduced or eliminated by

UN

CO

RR

EC

CLSR4140_proof 1 February 2006 7/7

TE

DP

Holistic Risk Management is self-sustaining. Traditional and Enterprise risk management are not, they require periodic, discreet efforts by a dedicated team.

Risk management is integrated and shared by all members of the organization, Threat assessment, vulnerability identification and risk mitigation is performed on a continuous near real-time basis.

using more cost effective inherent controls. The use of inherent controls and a holistic approach also bring the added benet of addressing insider threats that can be exacerbated by downsizing, off-shoring, and work place violence. Corporate counsels and risk ofcers can easily point out the benets identied herein, and suggest to their boards that the cost benet of taking such an approach will come back to the organization at the conclusion of each compliance cycle. This is true because the inherent controls based approach to risk management builds compliance into daily activities by everyone in the organization, thus reducing the time and expenditure necessary for audits and reviews. In addition, the ability to detect insider threats; and the protection of soft assets such as intellectual property and reputation will ll the mitigation gap insurance cannot cover.

Dr. Bill Woloch, email: bill.woloch@bearingpoint.com, Manager, Public Services Security Practice, Business and Systems Aligned. Business Empowered, BearingPoint, Boynton Beach, Florida; www.bearingpoint.com.

742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798

Frameworks Standards - Metrics

Cycle Repetition Necessary

RO

OF