Putting Enterprise Risk Under the Microscope
"We have to find a way to embed risk assessment ... to make ourselves more competitive," said TIAA-CREF's Jack Freund. "Whether that's an embedded function within IT or an overarching function that exists across multiple business units, there are different models that work for different size companies and companies of different cultural types. But it has to be there. It's absolutely critical."
Recent developments in the cybersecurity landscape have heightened interest in the challenges associated with accurately anticipating and understanding risk, and using that knowledge to better manage organizations.
Enterprises are better delivering risk assessment and, one hopes, defenses, in the current climate of challenging cybersecurity.
Nation-state types of threats may have a very serious impact on organizations. President Obama has directed the National Institute of Standards and Technology to develop a new cybersecurity framework. The administration has sharpened its focus on what can be done to improve cybersecurity throughout the United States' critical infrastructure.
In this podcast, a panel of experts discuss how predicting risks and potential losses accurately is an essential ingredient in enterprise transformation.
Jack Freund is information security risk assessment manager at TIAA-CREF. Jack has spent more than 14 years in enterprise IT, is a visiting professor at DeVry University, and also chairs a Risk-Management Subcommittee for the ISACA.
Jack Jones, principal at CXOWARE, has more than nine years of experience as a chief information security officer. He is also an inventor of the FAIR risk analysis framework.
Jim Hietala is vice president, security, at The Open Group.
The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.
Listen to the podcast (36:54 minutes).
Following are some excerpts:
Dana Gardner: Jack Jones, ... how do you see things? How have things changed, in your perception, over the last six to nine months?
Jack Jones: I continue to see growth and maturity, especially in areas of understanding the fundamental nature of risk and exploration of quantitative methods for it. A few years ago, that would have seemed unrealistic at best, and outlandish at worst in many people's eyes. Now, they're beginning to recognize that it is not only pragmatic, but necessary in order to get a handle on much of what we have to do from a prioritization perspective.
Gardner: Jack Freund, are you seeing an elevation in the attention being paid to risk issues inside companies in larger organizations? Is this something that's getting the attention of all the people it should?
Jack Freund: We're entering a phase where there is going to be increased regulatory oversight over very nearly everything. When that happens, all eyes are going to turn to IT and IT risk management functions to answer the question of whether we're handling the right things. Without quantifying risk, you're going to have a very hard time saying to your board of directors that you're handling the right things the way a reasonable company should.
As those regulators start to see and compare among other companies, they'll find that these companies over here are doing risk quantification, and you're not. You're putting yourself at a competitive disadvantage by not being able to provide those same sorts of services.
Gardner: So you're saying that the market itself hasn't been enough to drive this, and that regulation is required?
Freund: It's probably a stronger driver than market forces at this point. The market is always going to be able to help push that to a more prominent role, but especially in information security. If you're not experiencing primary losses as a result of these sorts of things, then you have to look to economic externalities, which are largely put in play by regulatory forces here in the United States.
Jones: To support Jack's statement that regulators are becoming more interested in this too, just in the last 60 days, I've spent time training people at two regulatory agencies on FAIR. So they're becoming more aware of these quantitative methods, and their level of interest is rising.
Gardner: Jack Jones, this is probably a good time for us to explain a little bit more about FAIR. For those listeners who might not be that familiar with it, please take a moment to give us the high-level overview of what FAIR is.
Jones: Sure, just thumbnail sketch of it. It's, first and foremost, a model for what risk is and how it works. It's a decomposition of the factors that make up risk. If you can measure or estimate the value of those factors, you can derive risk quantitatively in dollars and cents.