Discover the language of “Information Risk"
"Business -IT alignment"(BIA) is a term used to mean different things to different people. What is particularly interesting is how this is viewed in different contexts and scenarios. The expectation of Business from IT in a product centric industry such as Retail versus a technology centric business such as a wireless Carrier is dramatically different. And does IT have any requirements from the Business? Absolutely! So the "alignment" term is something that really needs to be explored in more detail.
And what are those alignment magic words- ? - performance, cutting edge capability, efficiency, reuse, key projects, resource skillets, ROI. And the list goes on.In the compliance and Security Services domain, BIA takes up an altogether different meaning. The ability of Security leadership to communicate the value that the function provides to the business in real terms, is often lost in the noise of breaches, regulations, control programs and of course those lost laptops!
The fundamental question therefore is “how does the business and IT communicate when it comes to Information Security Services? "
So how can one do this? Look at the 8 basic tenets of
1) Scope - what assets must we cover
2) Domains- which information zones are relevant
3) Regulations - what are those hot regulations we need to take on
4) Periodicity - how frequent should be the assessment
5) Ownership - who will participate
6) Methodology - how will we do an Information Risk Assessment
7) Management - from a longer term how can we mange this for sustainability
8) Business Value - minus the regulatory driver, what should be done to add business value?
Recently we did a workshop with the Chief Risk Officer of a leading West Coast Retail company. When we passed through the physical security folks in the building, the guard at the front desk handed out some dummy badges and actually mentioned to us that the "system was down" and hence could not assign numbers on the badges. So any badge was ok! As I walked to the elevator, I recalled that this was the exact state around a month back during my last visit. And why should the guard even be talking about something like that to strangers like me?
Now let’s look at the definition of Information Risk Management (IRM) as we within Infosys see this and come back to the above in a moment.
“Information Risk Management (IRM) is a holistic approach, within specific information management domains, to effectively understand, analyze, report and remediate controls' based risks to facilitate organizational compliance and overall business confidence”
Heading back to the above scenario and applying both the definitions and the 8 tenets we have
1) Scope – Controls around visitor entry
2) Domains- information around visitors entering the business premises
3) Regulations – Access Control requirements from Sarbanes Oxley
4) Periodicity- Controls review every quarter / month
5) Ownership- Physical Security, IT and Facilities
6) Methodology – An automated / self assessment based approach
7) Management – Security awareness training, centralized repository of controls, graphical reports
8) Business Value – Absolutely ! – Keep track of every visitor in the premises at all times. Who came in, why did they come, whom did they meet, when did they come in and when did they leave.
Do you see the language of Information Risk that the business and IT can communicate in? Do you feel this is relevant in your own organization? How will you begin to address the vital nuances of this language?
More on the IRM lingo in my next post.
