I have observed that CIOs are usually hesitant to go toe-to-toe against a regulator or an auditor. One of the major issues is that a lot of times, after reviewing a risk assessment, we are operating from purely intuition. It is important that you take a rigorous approach to preparing for these discussions by combining intuition with critical thinking and rationale.
By using your own intuition in combination with critically thinking through complex problems, you are able to develop a defensible argument. You are now able to validate surface assumptions and estimates before presenting, and placing information before auditors.
Just having the framework for discussing and debating topics with your auditor is extremely valuable. There are a few tools and tricks I want to share with you that will help you to better prepare a defensible argument that is backed with rigor, critical thinking, and logic. It can be very powerful to go before authorities this way, and I want to be able to help you do this.
I want to introduce you to the FAIR Institute. This organization was established by forward thinking innovative IT leaders to “establish and promote information risk management best practices that empower risk professionals to collaborate with their business partners on achieving the right balance between protecting the organization and running the business.” This powerful mission statement is made clear the second you visit the FAIR Institute website. FAIR Institute is an entire ecosystem filled with educational materials and individuals who are dedicated to do exactly what their mission statement claims.
I had the Chairman and Founder of the company, Jack Jones, on my Podcast series earlier this year, and we discussed the FAIR framework. I highly suggest that you read extensively about this model in the book Measuring and Managing Information Risk: A FAIR Approach, co-written by Jones. In the meantime, stay right here to learn a bit about some key concepts from the book.
The FAIR model is so valuable because it provides an entire framework for understanding, managing, and prioritizing information security risk. Every organization’s risk summary includes the top 10 risks that the business is facing. These risks include cybercriminals, social engineering, change management, mobile media, cloud computing, etc. If you look at the broad range of risks you’re dealing with, it’s like comparing apples to oranges. How do we categorize and prioritize these risks? The FAIR Institute Blog has an ongoing 5 part post dedicated to this topic. The way that many organizations go about managing and identifying their top 10 risks is a huge problem. We cannot expect to mature if we can’t get a fundamental nomenclature correct.
The best way to manage these types of risk assessments is by really analyzing each individual risk, so we can understand the potential loss scenarios involved with them, and the potential revenue impact. The FAIR model emphasizes the use of taxonomy: breaking down and categorizing each individual risk in a way that clearly distinguishes one from another.
The best way to do this is by creating one list for your top loss scenarios; the risks that really have the potential to do the most major damage, and a separate list for what is called controlled efficiencies. This second list should be made up of your more common risk items that come from your top 10 list. Once you have created the two separate lists, you can identify which controlled efficiencies are contributing to your top loss scenarios. You are now able to determine which risks you should really be hitting hard. This method of breaking down each of the risks into separate categories really strengthens your understanding of your overall risk environment. Typical top 10 lists are basically a list of misinformation, because there’s no way to distinguish between the heavy hitters, and the underlying risks that are leading to them.
By following the FAIR approach, you eliminate the grey areas, and are able to better prepare a defensible argument that your auditor won’t be able to refute. Next time you have the chance, don’t be afraid to go toe-to-toe with your auditor.
Bill Murphy is the founder in 2001 of RedZone Technologies, a world class IT Security Assessment company. RedZone helps you combat auditors and others who may be preying on your perceived weaknesses. The team at RedZone are experts at turning perceived audit vulnerabilities into offensive advantages.
Reduce the Ceiling of IT Security Complexity with the CIO Security Scoreboard. Learn more here