New Roles in Risk ManagementImpact of Today's Threats on Tomorrow's Risk Managers
Social media is growing in a lot of organizations, and in order to effectively mitigate the potential threats, risk managers must embrace and educate employees. "Educate people about their risk exposure or their organization's risk tolerance and profile," Stroud says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
In an always changing environment, risk managers need to understand the information they are protecting and communicate best practices within the organization.
Going forward, risk managers need to get closer to the business, Stroud says. They must understand the fundamental business requirements, become tech-savvy, embrace emerging trends, and make the move from IT to enterprise risk management.
Risk managers will need to make appropriate judgments in managing an organization's threats, including new ones that come along down the road. "Rather than doing one size fits all, we're going to do scenario-based risk management," Stroud says.
In an exclusive interview about risk management careers, Stroud discusses:
- Lessons learned from the recent breaches at Sony and RSA;
- The risks of emerging technologies such as social media and cloud computing;
- The new skills needed to face tomorrow's challenges.
Stroud is the former chair of the COBIT Steering Committee and is part of the Framework committee. Stroud also serves on the itSMF International Board as Treasurer and Director Audit, Standards and Compliance and leads the itSMF ISO liaisons to multiple working groups.
Formerly CA's global evangelist for service management and governance, Stroud is dedicated to the development and communication of industry best practices and acts as a strong advocate for the customer - working closely with users, industry organizations, government agencies, and IT luminaries to identify and communicate IT best practices. He is a mentor to many organizations, advising them on their implementations to ensure they drive maximum business value throughout the process.
TOM FIELD: For listeners who haven't heard you before, maybe you could tell us a little bit about yourself and the work that you do please?
ROBERT STROUD: I am a two-headed monster if you will. I work in the daytime with a company called CA Technologies in the strategy and innovation group. But I spend most of my time working with ISACA, communicating the various best practice standards and developing them as well for ISACA. It's been a long career in banking and just for fun I play with security in my spare time.
FIELD: Well you haven't had much spare time this year because there's been a lot of fun with security.
STROUD: It's been one of those years, hasn't it, where it's just one incident after the other.
Safeguarding Against Data BreachesFIELD: Well that's it. We've seen this precession of breaches almost by the day, and it begs the question. What are some of the steps that risk managers can take to safeguard their organizations against the types of data breaches that we've seen?
STROUD: The first reaction always is to go and put up big, big walls and stop people from getting in every time we see one of these breaches. For risk managers, it's the very nature of their role. They need to understand the potential risk of any breach. Some breaches will have minimal impact on the business and some breaches may just be embarrassing and have some major impact. As risk managers, we've got to focus on that key information and data that we need to protect. We need to identify that to the organization. We need to clearly articulate that to the organization. Finally, we need to ensure that we help the organization put appropriate safeguards around that information, because at the end of the day really it's all about the data.
FIELD: We've had the opportunity to sit on the outside and see some highly publicized incidents, such as the breaches with Sony and RSA. When you look at some of these incidents, what do you see as some of the lessons learned for risk managers?
STROUD: Sony and RSA are just two of many this year. And let's face it, there are going to be more. That's going to continue. One of the lessons learned with the Sony incident was the amount of time that the PlayStation network was off the air. It was amazing the amount of time that it went on, for so long and in such dramatic fashion. Sony was off the air for a period of time. It just shocked us all, didn't it? They had to develop business continuity and I think that business continuity is the key aspect. We've got to understand, like any other major event or incident, that when we have an outage or an impact on the business, we need to have a continuity plan. Risk managers need to develop that plan and be involved in development of it so the organization can stay live and available. I think that's one of those key aspects, once again, going back to the information. If we understand what the information is, and the risk and impact on the business, then what we can do is set up the right precautions and safeguards so that we can ensure that we protect against it.
RSA is another one. The real issue with RSA is no one really has a valid understanding of what the impact is. There's lots of speculation and that's one of the key aspects. What may or may not have been compromised? That gets back to clear communication. If you do have a breach, what are the clear communication guidelines you are going to have to put in place? How are you going to communicate that breach? Do you even need to communicate the breach? Or you have a transparent policy, or its personal information that you do really have to communicate that breach. I think all of us have had that notice from the credit card company saying that they are issuing you a new credit card. Your number may have been exposed. That puts fear, uncertainty and doubt into folks. But it's almost becoming business as usual, isn't it?
New Risks in Social Media, Cloud ComputingFIELD: It really is. I want to take you to another direction entirely. In addition to the breaches that we've seen this year, we've also seen a lot of organizations that are benefiting from merging technologies such as social media, mobility and cloud computing. But with these opportunities comes risk as well. So for a risk manager, what are some of the absolute priorities that have to be on their agenda to protect an organization from these risks?
STROUD: Look, the world is changing faster than I can keep up with it, and I think that is true for all of us. I think risk managers need to go back to three fundamental things. First, they need to understand the information they are protecting. What is it? Is it business critical? Is it going to jump or put the organization in hot water if it's leaked out there? Is it going to expose the organization? That needs to really be understood, and then you need to set up your risk posture on that particular potential breach based on that.
For instance, social media, it's growing in a lot of organizations. You can take the approach where you can just block it. Just fundamentally put up a brick wall that says no social media here. When you walk around the office and you see the Y generation with these wonderful smart phone devices and various other components such as an iPad; they're totally leveraging them whether you've blocked it or not. In that particular case, risk managers need to ensure that the risk is communicated, or the exposure is communicated to the staff appropriately. The first is the information; understand the risk. The second is communicating effective good practices. And the third one is to really have trained risk professionals in the organization.
People for instance who have a part of ISACA, taking a role of the understanding, they have a certification. These risk professionals put them in roles where they can actually deliver value to the organization, where they can actually make a judgment call of whether something is critical or not critical. The fundamental aspect there is with things that don't need huge walls put around, remove those barriers. Remove those barriers from people so that they understand the areas where they need to be concerned about, which gets you back to your communication and education.
I have a policy that I use which is, we embrace and educate. We educate people about their risk exposure or their organization's risk tolerance and profile. We allow them to make the decisions in their business units or their areas based on the data they have.
New Skills for Risk ManagersFIELD: Looking toward the future, what do you see as some of the additional skill sets that risk managers are going to need to embrace themselves or educate themselves?
STROUD: Going forward, a risk manager, like most roles within IT, is going to have to get closer to the business. They are going to have to understand the fundamental business requirements in all they do. At the same time, a risk manager also needs to be savvy with technologies that are emerging and coming around the corner so that they can make a good call. They've got to get ahead of the technology, not behind it. One of the features that I see many good risk managers doing, and doing well, is they're getting out of just IT risk management and into enterprise risk management. They are understanding enterprise profile, the enterprise business plan and the enterprise direction. In so doing, they can then go and make a balanced risk decision. We need to put a risk framework or a risk process in place in our organization.
If I can just give you a good example, risk management is second nature to most of us crossing the road. We cross the road, we look the appropriate ways and based on the risk, situation and the scenario end, we may choose to cross at a state of life. That's mitigating the risk because there's a high risk, or high probability, that something might go wrong. It's not just because the rule says so. In that particular case, you mitigate that risk and do that now. If you trust a road, if it's a quiet country road, you've done the right thing, looked both ways and see that no cars are coming, you can make a risk-based decision to cross then and there. That's one of the interesting comforts about risk going forward with risk managers. The risk profile and the risk scenario are going to change. It's going to be modified based on the environment, the situation you are in, the time of day, lots of perimeters. And it won't be the same forever. Data which might have been super critical, for instance, last week, may reach a period of time where it's no longer super critical. Your risk posture and risk profile have to change.
As a risk manager, you need to keep up-to-date, stay current and understand the business. Going forward you need to keep one eye on technology and one eye on the business. That third spare eye, you can use for doing your risk work that you do every day.
Advice for New Risk ManagersFIELD: That's well said, and it leads me to a final question here. We've talked an awful lot about the threat landscape and technological advancement. For risk managers that are entering the field today looking to grow their careers, what advice would you give to them to stay current and even stay ahead to some degree?
STROUD: One of the things they can do is follow the podcasts and the writing that you do. That would always be a good area to start with. But fundamentally organizations such as ISACA, which I am a member of, we have risk as a high level item. It's an item that we communicate and educate on all the time. You need to stay aware of the industry. You need to connect with your peers. You need to also ensure that you are continuing your education. You need to continue to move forward and understand how the threat and vulnerability of the landscape is changing. Reading the newspaper everyday, there's almost always a security exposure, threat, profile of vulnerability or attack in there. You need to keep up with those.
You need to stay one step ahead of those bad people that are out there because there are bad people. At the same time, you need to ensure that in your role, you have a balanced approach. You're not stopping the people who are doing the right thing. That's one of the big fallacies I've seen in my time in the industry. Often, we'll go and put a rule into the worst possible scenario, which makes the system almost unusable. We have to avoid the passion to do that. We have to ensure that we make an appropriate judgment based on the scenario, and I think that's clearly the new thing that we're going to see with risk management. Rather than doing one size fits all, we're going to do scenario-based risk management. We're going to play the roles in our head, like you would play a computer game. You're going to see what the scenario is. You are going to see what the outcomes are and then you're going to indeed make a determination based on that.