Title: Report to the Board: Five Practical Tips for Linking IT Risk Management and Compliance to Corporate
1Report to the Board Five Practical Tips for
Linking IT Risk Management and Compliance to
Corporate Performance
- John P. Morency, Research Director
- IT Infrastructure Operations Research
- (978)-901-4123
- John.Morency_at_gartner.com
2Report to the Board Scenario
Problem
The CISO (direct report to the CIO) received a
call on a Thursday requesting a 20-minute
overview of risk and security for the board of
directors on the following Monday for the first
time in four years.
Approach
Challenges
- Link risk and security activities to corporate
initiatives. - Avoid fear, uncertainty and doubt
- Create four-slide deck with emphasis on what's
working and what's not - Create 20 backup slides with greater detail and
operational metrics
- The urge to panic
- Sorting through the plethora of available
information for the nuggets of interest to the
board - Coordinating the input of 15 direct reports
- Rationalizing the results of a recent risk
assessment
Business Value
Effective board reporting provides transparency
to the business and helps reduce risks that
impact corporate performance.
3Key Issues
- 1. What do boards and lines-of-business
executives want from risk and security? - 2. How do the risk-based disciplines impact
corporate performance? - 3. How can you present a defensible case for the
value and effectiveness of risk management to an
executive audience?
4Key Issues
- 1. What do boards and lines-of-business
executives want from risk and security? - 2. How do the risk-based disciplines impact
corporate performance? - 3. How can you present a defensible case for the
value and effectiveness of risk management to an
executive audience?
5Tip Set Key Risk and Security Program Management
Objectives
- Accountability Provides for tying actions to
people and assigning necessary responsibility in
a decent governance framework - Transparency Makes the operations of an
organization more auditable by increasing
visibility into core processes - Measurability Provides the basis for continuous
improvement and allows for the creation of a
baseline that can be compared
6Key Issues
- 1. What do boards and lines-of-business
executives want from risk and security? - 2. How do the risk-based disciplines impact
corporate performance? - 3. How can you present a defensible case for the
value and effectiveness of risk management to an
executive audience?
7Tip Use Key Performance Indicators to Measure
Operational Risk
8Key Performance Indicators
- What is a KPI?
- A key performance indicator is a non-financial
leading indicator of business performance - Traditional financial metrics are trailing
indicators - How can I develop KPIs?
- Identify critical business processes and
supporting applications - Do not focus exclusively on IT-centric KPIs
- Sample KPIs
- Customer Retention Index
- Time-to-Market Index
- RD Success Index
- On-time Delivery
- Supplier On-time Delivery
- Order Fill Rate
- Supplier Fill Rate
- Material Quality
- Supplier Material Quality
- Skills Inventory Index
- Employee Training Index
- Systems Performance
Gartner provides a catalog of KPIs in "The
Gartner Business Value Model" G00139413
9Key Risk Indicators
- Sample Key Risk Indicators
- Turnover rate of personnel managing critical
systems - Critical system downtime due to environmental
disruption - Critical system downtime due to IT security
breaches - Critical system downtime due to IT change
- Number of planned IT changes at different levels
of severity
- What is a KRI?
- A key risk indicator is a leading indicator of
risk to business performance - How can I develop KRIs?
- Do not use operational metrics
- Do not focus exclusively on IT-centric KRIs or
availability
Gartner provides a starting point to develop KRIs
in "A Risk Hierarchy for Enterprise and IT Risk
Managers" G00156664
10Tip Map KPIs Into KRIs
11Tip Getting Started With KPI/KRI
Step 1 Develop a set of KPIs Every manager in
charge of a silo of risk can look out across
their business to identify the key business
processes and applications which would be
negatively impacted by the risks they address.
Don't focus exclusively on IT-centric KPIs. Use
the Gartner Business Value Model and vet them
with business leaders in the organization.
Step 2 Develop a set of KRIs Key risk indicators
should reflect the silo of risk for which the
group developing the indicator is responsible.
Select and rollup KRIs from individual risk
silos.
Step 3 Create an initial mapping The mapping
should evolve thorough discussions with risk
subject matter experts and appropriate people
from the business. Balance confidentiality,
integrity, SLA, organizational and other types of
threats with availability.
Step 4 Measure and report Continuously measure
and report KRIs in the context of their
associated KPIs.
12Key Issues
- 1. What do boards and lines-of-business
executives want from risk and security? - 2. How do the risk-based disciplines impact
corporate performance? - 3. How can you present a defensible case for the
value and effectiveness of risk management to an
executive audience?
13Tip Don't Use Operational Metrics in Executive
Communication
- Communications/awareness
- Percentage of users "made aware" during period
- Percentage of IT personnel trained during period
- Risk assessment status
- Number of risk assessments conducted
- Number of risk assessments in progress
- Number of risk assessments pending/backlogged
- Number of of critical systems with expired RA
- Vulnerability management (including patch)
- Number of security alerts processed
- Number of of vulnerability scans in period
- Number of open vulnerabilities by criticality
- Number of open vulnerabilities "area" by
criticality - Number of vulnerabilities. reduction during
period (area, vol.) - Event/incident management
- Number of privacy violations
- Number of events (total, reportable, ability to
be investigated, actionable) - Number of hours induced downtime by system
critical - Number of of incidents by type (config. error,
zero-day vulnerabilities, unpatched
vulnerabilities, user error, hacker)
- Inventory
- People Users, security FTEs
- Equipment Desktops, servers, network devices,
security devices - Resources connections, applications
- Program Status
- Percentage of YTD spending of security budget
- Percentage of completion of annual objectives
- Percentage of confidence of completing objectives
- Percentage of security policies refreshed
- Number of 1 new policies created/implemented
- Percentage of security processes refreshed
- Number of new processes created/implemented
- Protect status (major, per project)
- Percentage completed
- Percentage of project timeline elapsed
- Percentage of project budget expended
- Percentage of confidence of completion
- Compliance
- Number of compliance deficiencies, last audit
14Tip Link Risk Initiatives to Corporate Goals
- Sources for corporate goals
- Annual report
- Strategic planning documents
- IT annual plan
- Steering committees
- Advisory boards
- Using their words
- Link to high-ticket items that have executive
attention - Big modernization initiative
- Cost cutting
- Business transformation initiatives
Fear, Uncertaintyand Doubt
Return on SecurityInvestment
Business Value
15Tip Communicate to Executives Emphasizing What
Works and What Doesn't
- Step 1 Develop a process catalog
- Enumerate the 10 to 15 high level processes that
represent your program. - Step 2 Assess process maturity
- Create an abstraction to represent how well your
processes operate. - Step 3 Develop a process-maturity-based risk
report - Current state (Step 2)
- Target state (Step 3)
- Planned state in a given time frame (Step 4)
Current Gap
1
2
3
4
5
Incident Response
PlannedRemediationProject 1Next Year
Residual GapProject 2TBD
16Security Program Maturity Timeline 2009
Blissful Ignorance
Awareness
Corrective
Operations Excellence
Composite Risk Position
17The Process Decomposing the Gaps Into Projects
- Step 4 Decompose the gaps into projects
1
2
3
4
5
Threat and Vulnerability Management
1
2
3
4
5
Incident Response
1
2
3
4
5
Identity and Access Management
Current State
Planned State
Desired State
Gap
Developing Project Plans
18The Process Developing a Plan
- Step 5 Develop a strategic plan.
- Prioritize projects based on budget, impact and
schedule. - Draw a line and make a recommendation for an
annual project plan based on program improvement
and lower risk. - Use accountability for risk-based decisions to
address push-back against recommendations. - This changes the fundamental budget
justification conversation away from the
traditional (failed) models.
19The Process Using the Results
- Step 6 Quarterly reporting
1
2
3
4
5
Threat and Vulnerability Management
1
2
3
4
5
Incident Response
1
2
3
4
5
Identity and Access Management
1
2
3
4
5
Process 4
1
2
3
4
5
Process 5
Current State
Planned State
Desired State
Gap
20Summary Executive Communication Action Steps
- Tip No. 1 Formalize a risk and security program.
- Tip No. 2 Map Key Risk Indicators (KRI) into Key
Performance Indicators (KPI). - Tip No. 3 Don't use operational metrics in
executive communication. - Tip No. 4 Link risk initiatives to corporate
goals. - Tip No. 5 Communicate to executives emphasizing
what works and what doesn't.
21Report to the Board Five Practical Tips to Link
IT Risk Management and Compliance to Corporate
Performance