Posted on August 27, 2013 by ashley
Jill Hudson, Compliance Associate
Organizations across every industry have begun to experience and acknowledge the need for transition to a more risk-minded information security approach. It has become a challenge to the Chief Security Officer (CSO) to not only protect the organization’s assets, but also to be capable to identify risks to those assets and then mitigate those risks in a manageable way. “How is it possible for one person to accomplish all this?” you may ask.
Ultimately, the only thing that stands in the way of the CSO role transforming into a Chief Risk Officer (CRO) role is a feasible option for managing the process. For the CSO role to evolve in the right direction, the organization’s mindset on information security must first shift. We must stop thinking of only how to protect data and respond when a new threat or vulnerability is discovered. The transition into a risk-minded structure can only begin once we think outside of ourselves and our own personal knowledge-base.
Peter Tomaszewski, Vice President and Information Security Officer of Bank of Marin in Novato, California explains, “An automated risk assessment delivered via the web helps us ask questions we wouldn’t think of on our own. The benefit of using a cloud-based system is that it asks the questions I may have forgotten to ask and has the ability to leverage the subject matter expertise of those who have deep insight into the current guidance landscape.” According to an April 2013 KBW press release, Bank of Marin is one of forty banks selected in 2012 to the elite Keefe Bruyette & Woods Bank Honor Roll of superior performers.
Education and resource management are essential to successfully adjust mindsets to a global risk management process and program.
Tomaszewski said that “educating and informing the Board and C-Level players on the need and purpose of a risk-minded structure has been one of the trickiest aspects of moving our organization in that direction.” Because regulations and industry standards exist in an ever-changing environment, it is crucial that organizations, and their executives, understand the need for a risk-based information security structure. So how can we educate decision makers on the need for and availability of IT GRC solutions that manage the risk assessment process?
Start by presenting them with the current structure of the company, along with its shortcomings and benefits. Understanding the current environment provides a foundation for why change is necessary in the first place. That education not only affects decisions on funding and information security goals, but it also becomes the catalyst for a company-wide shift toward a risk-based structure.
Time and resource management are also among the top issues when listing the causes of unease transitioning to a decidedly more risk-based structure. The enormity of the task is what initially shocks CSOs and C-Level decision makers into complacency with a current information security structure. While an organization may conduct an annual risk assessment, the ongoing, living process of managing risk is only now becoming a goal for most.
The trick to effective time and resource management is automation. Reducing the steps and repetitive tasks associated with creating and managing a global risk assessment is the most efficient way to accomplish this. IT GRC solutions are challenged with creating software that can eliminate unnecessary repetition not only in a stand-alone risk assessment, but throughout the life of the organization. It is also important to automate the integration of processes and information throughout the company into the global risk assessment.
So far, we have identified the impending changes to organizational information security structures, and laid the foundation for how to begin the necessary steps. Education and resource management are the first aspects to consider, but there is much more to be effective in changes that are made.
Posted in IT Risk Management and Risk Assessments