Report to the Board: Five Practical Tips for Linking IT Risk Management and Compliance to Corporate

1
Report to the Board Five Practical Tips for
Linking IT Risk Management and Compliance to
Corporate Performance

• John P. Morency, Research Director
• IT Infrastructure Operations Research
• (978)-901-4123
• John.Morency_at_gartner.com

2
Report to the Board Scenario
Problem
The CISO (direct report to the CIO) received a
call on a Thursday requesting a 20-minute
overview of risk and security for the board of
directors on the following Monday for the first
time in four years.
Approach
Challenges

• Link risk and security activities to corporate
  initiatives.
• Avoid fear, uncertainty and doubt
• Create four-slide deck with emphasis on what's
  working and what's not
• Create 20 backup slides with greater detail and
  operational metrics

• The urge to panic
• Sorting through the plethora of available
  information for the nuggets of interest to the
  board
• Coordinating the input of 15 direct reports
• Rationalizing the results of a recent risk
  assessment

Business Value
Effective board reporting provides transparency
to the business and helps reduce risks that
impact corporate performance.
3
Key Issues

• 1. What do boards and lines-of-business
  executives want from risk and security?
• 2. How do the risk-based disciplines impact
  corporate performance?
• 3. How can you present a defensible case for the
  value and effectiveness of risk management to an
  executive audience?

4
Key Issues

• 1. What do boards and lines-of-business
  executives want from risk and security?
• 2. How do the risk-based disciplines impact
  corporate performance?
• 3. How can you present a defensible case for the
  value and effectiveness of risk management to an
  executive audience?

5
Tip Set Key Risk and Security Program Management
Objectives

• Accountability Provides for tying actions to
  people and assigning necessary responsibility in
  a decent governance framework
• Transparency Makes the operations of an
  organization more auditable by increasing
  visibility into core processes
• Measurability Provides the basis for continuous
  improvement and allows for the creation of a
  baseline that can be compared

6
Key Issues

• 1. What do boards and lines-of-business
  executives want from risk and security?
• 2. How do the risk-based disciplines impact
  corporate performance?
• 3. How can you present a defensible case for the
  value and effectiveness of risk management to an
  executive audience?

7
Tip Use Key Performance Indicators to Measure
Operational Risk
8
Key Performance Indicators

• What is a KPI?
• A key performance indicator is a non-financial
  leading indicator of business performance
• Traditional financial metrics are trailing
  indicators
• How can I develop KPIs?
• Identify critical business processes and
  supporting applications
• Do not focus exclusively on IT-centric KPIs

• Sample KPIs
• Customer Retention Index
• Time-to-Market Index
• RD Success Index
• On-time Delivery
• Supplier On-time Delivery
• Order Fill Rate
• Supplier Fill Rate
• Material Quality
• Supplier Material Quality
• Skills Inventory Index
• Employee Training Index
• Systems Performance

Gartner provides a catalog of KPIs in "The
Gartner Business Value Model" G00139413
9
Key Risk Indicators

• Sample Key Risk Indicators
• Turnover rate of personnel managing critical
  systems
• Critical system downtime due to environmental
  disruption
• Critical system downtime due to IT security
  breaches
• Critical system downtime due to IT change
• Number of planned IT changes at different levels
  of severity

• What is a KRI?
• A key risk indicator is a leading indicator of
  risk to business performance
• How can I develop KRIs?
• Do not use operational metrics
• Do not focus exclusively on IT-centric KRIs or
  availability

Gartner provides a starting point to develop KRIs
in "A Risk Hierarchy for Enterprise and IT Risk
Managers" G00156664
10
Tip Map KPIs Into KRIs
11
Tip Getting Started With KPI/KRI
Step 1 Develop a set of KPIs Every manager in
charge of a silo of risk can look out across
their business to identify the key business
processes and applications which would be
negatively impacted by the risks they address.
Don't focus exclusively on IT-centric KPIs. Use
the Gartner Business Value Model and vet them
with business leaders in the organization.
Step 2 Develop a set of KRIs Key risk indicators
should reflect the silo of risk for which the
group developing the indicator is responsible.
Select and rollup KRIs from individual risk
silos.
Step 3 Create an initial mapping The mapping
should evolve thorough discussions with risk
subject matter experts and appropriate people
from the business. Balance confidentiality,
integrity, SLA, organizational and other types of
threats with availability.
Step 4 Measure and report Continuously measure
and report KRIs in the context of their
associated KPIs.
12
Key Issues

• 1. What do boards and lines-of-business
  executives want from risk and security?
• 2. How do the risk-based disciplines impact
  corporate performance?
• 3. How can you present a defensible case for the
  value and effectiveness of risk management to an
  executive audience?

13
Tip Don't Use Operational Metrics in Executive
Communication

• Communications/awareness
• Percentage of users "made aware" during period
• Percentage of IT personnel trained during period
• Risk assessment status
• Number of risk assessments conducted
• Number of risk assessments in progress
• Number of risk assessments pending/backlogged
• Number of of critical systems with expired RA
• Vulnerability management (including patch)
• Number of security alerts processed
• Number of of vulnerability scans in period
• Number of open vulnerabilities by criticality
• Number of open vulnerabilities "area" by
  criticality
• Number of vulnerabilities. reduction during
  period (area, vol.)
• Event/incident management
• Number of privacy violations
• Number of events (total, reportable, ability to
  be investigated, actionable)
• Number of hours induced downtime by system
  critical
• Number of of incidents by type (config. error,
  zero-day vulnerabilities, unpatched
  vulnerabilities, user error, hacker)

• Inventory
• People Users, security FTEs
• Equipment Desktops, servers, network devices,
  security devices
• Resources connections, applications
• Program Status
• Percentage of YTD spending of security budget
• Percentage of completion of annual objectives
• Percentage of confidence of completing objectives
• Percentage of security policies refreshed
• Number of 1 new policies created/implemented
• Percentage of security processes refreshed
• Number of new processes created/implemented
• Protect status (major, per project)
• Percentage completed
• Percentage of project timeline elapsed
• Percentage of project budget expended
• Percentage of confidence of completion
• Compliance
• Number of compliance deficiencies, last audit

14
Tip Link Risk Initiatives to Corporate Goals

• Sources for corporate goals
• Annual report
• Strategic planning documents
• IT annual plan
• Steering committees
• Advisory boards
• Using their words
• Link to high-ticket items that have executive
  attention
• Big modernization initiative
• Cost cutting
• Business transformation initiatives

Fear, Uncertaintyand Doubt
Return on SecurityInvestment
Business Value
15
Tip Communicate to Executives Emphasizing What
Works and What Doesn't

• Step 1 Develop a process catalog
• Enumerate the 10 to 15 high level processes that
  represent your program.
• Step 2 Assess process maturity
• Create an abstraction to represent how well your
  processes operate.
• Step 3 Develop a process-maturity-based risk
  report
• Current state (Step 2)
• Target state (Step 3)
• Planned state in a given time frame (Step 4)

Current Gap
1
2
3
4
5
Incident Response
PlannedRemediationProject 1Next Year
Residual GapProject 2TBD
16
Security Program Maturity Timeline 2009
Blissful Ignorance
Awareness
Corrective
Operations Excellence
Composite Risk Position
17
The Process Decomposing the Gaps Into Projects

• Step 4 Decompose the gaps into projects

1
2
3
4
5
Threat and Vulnerability Management
1
2
3
4
5
Incident Response
1
2
3
4
5
Identity and Access Management
Current State
Planned State
Desired State
Gap
Developing Project Plans
18
The Process Developing a Plan

• Step 5 Develop a strategic plan.
• Prioritize projects based on budget, impact and
  schedule.
• Draw a line and make a recommendation for an
  annual project plan based on program improvement
  and lower risk.
• Use accountability for risk-based decisions to
  address push-back against recommendations.
• This changes the fundamental budget
  justification conversation away from the
  traditional (failed) models.

19
The Process Using the Results

• Step 6 Quarterly reporting

1
2
3
4
5
Threat and Vulnerability Management
1
2
3
4
5
Incident Response
1
2
3
4
5
Identity and Access Management
1
2
3
4
5
Process 4
1
2
3
4
5
Process 5
Current State
Planned State
Desired State
Gap
20
Summary Executive Communication Action Steps

• Tip No. 1 Formalize a risk and security program.
• Tip No. 2 Map Key Risk Indicators (KRI) into Key
  Performance Indicators (KPI).
• Tip No. 3 Don't use operational metrics in
  executive communication.
• Tip No. 4 Link risk initiatives to corporate
  goals.
• Tip No. 5 Communicate to executives emphasizing
  what works and what doesn't.

21
Report to the Board Five Practical Tips to Link
IT Risk Management and Compliance to Corporate
Performance

• John P. Morency