“What, me worry? – I’ve got a regulatory check list and an enterprise risk management system to manage the process”.
I want to talk about under-thinking the risk analysis and over-spending on the solution.
I believe that there is a fundamental flaw in enterprise risk management systems – they don’t really tell the organization something it doesn’t already know and if we don’t bring some fresh input and new risk intelligence to the board room,we are not going to be very effective at mitigating new threats.
The problem with enterprise risk management systems starts with a focus on managing internal business processes, as if mitigating threats to intellectual property is like producing a purchase requisition.
Systems like Oracle ERM help “assess risk for a portfolio across multiple parameters” and provide a powerful way of collecting data from users by asking them how ‘risky’ is their part of a business process and then roll up the total risk in the business process.
This approach of self-assessments may actually be a very bad idea for an effective risk mitigation program, since users can answer self-guided questionnaires any way they feel like.
It’s called GIGO, garbage in garbage out – i.e. a system that rolls up a bunch of arbitrary answers will give an arbitrary result which might help the auditor rack up billable hours but may not help the management anticipate and mitigate threats in a cost-effective way.
Most of these systems seem to try to satisfy one kind of compliance regulation or another. Asking a bunch of people how risky their part of the business process whether they care about it or not is not a good way of ensuring quality data collection.
This sort of risk assessment doesn’t help people do their job better and doesn’t help a business protect customer data more effectively.
Another vulnerability of enterprise risk management stems from a standardized check list approach which encourages under-thinking the analysis and over-spending on the solution.
Check lists like PCI DSS 1.2 were outdated the moment they were publicized and comprehensive checklists like ISO27001 are lacking security metrics and prioritization of control implementation – although, I will grant that ISO is moving in that direction.
While checklist applications are important for the customer and the auditor in order to prove compliance – sticking blindly to a checklist doesn’t help an organization find cost-effective security controls, respond to new threats or sustain a consistent level of security.
There are a few things that I’d like to see in a next generation risk management system that might help organizations get out from under their rock and discover new threats and new ways of implementing countermeasures:
- Believe it or not – a totally different user interface – like maybe Facebook for risk assessment. If risk assessment was a must-have business resource like general ledger, then the user interface might not matter but I suspect that a social-networking application of risk data collection and collaboration between analysts, attackers, vendors and managers might go a long way. SMS and email, for example, were hard to use when they were first introduced, but the network connectivity value that users got out of it was so high that people used it anyway and then the applications took off like sky rockets.
- Global catalog of risk model classes & entities – like a Wikipedia of risk
- Multiple language support (let’s face it, most of the world doesn’t speak English)
- Open source plugin risk models and model inheritance – that would enable a threat analyst in India to build a risk model base class and have an analyst in San Francisco be able to inherit the model and add new functionality
- Risk model authoring and entitlement – this would help risk analysts monetize their efforts.