support of a Significant Technology Decision

Question: Discuss about the support of a Significant Technology Decision. Answer: Introduction The objective of the paper is to understand the various risk perspectives in the above mentioned situation. Integrated risk management enables simplification, automation and integration of strategic, operational and IT risk management processes and data. Risk management solutions are an increasing area of focus for most organizations, as risk profile complexity and interconnected relationships grow explosively. In fact, according to a 2016 survey of risk executives by the Risk and Insurance Management Society, 74% of respondents state that their ability to forecast critical risks will be more difficult in three years. Moreover, the leading obstacle to forecasting critical risks noted by these executives is the continued lack of cross-organization collaboration (Galliers, 2014). To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. As a result, new technology solutions are emerging to increase the collaborative nature of risk management, both within and external to an organization. IT risks are those within the scope and responsibility of IT, the IT department or IT dependencies that create uncertainty in business activity. ITRM solutions automate IT risk assessments, policy management, control mapping and reporting, security operations analysis and reporting, and incident management (Haimes, 2015). Risk management is an increasing area of focus for most organizations, as risk profile complexity and interconnected relationships grow explosively. According to a 2016 survey of risk executives by the Risk and Insurance Management Society, 74% of respondents state that their ability to forecast critical risks will be more difficult in three years. Moreover, the leading obstacle to forecasting critical risks noted by these executives is the continued lack of cross-organization collaboration (Neves, 2014). To understand the full scope of risk, organizations require a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities. As a result, new technology solutions are emerging to increase the collaborative nature of risk management, both within and external to the organization. Over the past decade, risk management programs have matured to focus on more than just compliance and on the interconnected nature of operational risk across an enterprise. Gartner defines this approach to risk management as integrated risk management (IRM). IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks (Haimes, 2015). Review of the industry solutions First, to assess and mitigate the widening array of digital risks, you need the right framework. This is especially true with the growing complexity around third-party and vendor risk management as well as the proliferation of cloud technology deployments. Gartner's research will not only focus on methods to assess these risks, but also risk treatment alternatives like cyberinsurance. New leaders in digital risk also need the right metrics to make better business decisions by linking risk and performance. Risk metrics can also be used to direct audit and compliance resources to focus on the right areas rather than succumbing to the dreaded "check-the-box" syndrome. Gartner's research focus in 2017 will include views on how companies can link risk management and corporate performance management via metrics. Using key risk indicators tied to key performance indicators, business leaders can deploy risk management resources to areas that will have the greatest impact on the future success of the business (Galliers, 2014). Finally, to support your efforts to manage these new risks, you need the right systems. Gartner will explore the current trends for use of IRM solutions in areas such as legal, e-discovery and operational risk management. Gartner will also discuss new and future trends around the evolution of digital risk management technology. Without a full understanding of the implications of how risks impact the performance of business units and individuals in meeting their goals, the entire company will have difficulty meeting its long-term strategic objectives. Companies must explicitly identify how risk influences the behavior and ability of individuals in achieving their goals. Gartner developed its business risk model to help companies define leading risk indicators as a way to focus efforts on high-value activities (Sadgrove, 2016). This model can be fully implemented in four to six weeks, and provides a mechanism for companies to answer the following questions: What risk metrics should the company utilize to improve decision making and, more importantly, to position the company to achieve its performance goals? How can key risk indicators be used to adjust the key performance indicators to inform better decision making? Where do IT key risk indicators map to business process objectives and controls? Changes in the security position and assessment While technology is often viewed as a panacea for risk management challenges, it is most useful and cost-effective when deployed as an enabler of a well-defined program. Too often, companies will overengineer the supporting risk management processes based on a particular IRM solution, resulting in greater bureaucracy and wasted investment. Using Gartner's IRM pace-layering methodology and related Magic Quadrants, Critical Capabilities and Market Guides, you can identify and implement the right systems to address the following questions: What risk-related technologies are required to fully comprehend a company's dynamic risk profile? How can purpose-built IRM solutions that serve different risk and compliance domains be integrated to form a cohesive solution portfolio? What are the common risk assessment and data needs for comprehensive risk management across the enterprise? Where can I find the right systems to enable my risk management program in an integrated way While technology is often viewed as a panacea for risk management challenges, it is most useful and cost-effective when deployed as an enabler of a well-defined program. Too often, companies will overengineer the supporting risk management processes based on a particular IRM solution, resulting in greater bureaucracy and wasted investment. Using Gartner's IRM pace-layering methodology and related Magic Quadrants, Critical Capabilities and Market Guides, you can identify and implement the right systems to address the following questions: What risk-related technologies are required to fully comprehend a company's dynamic risk profile? How can purpose-built IRM solutions that serve different risk and compliance domains be integrated to form a cohesive solution portfolio? What are the common risk assessment and data needs for comprehensive risk management across the enterprise? Key Challenges In many organizations, security and security risk governance practices are still immature, and they often lack executive support and business participation. Many organizations struggle to establish clear accountability and authority, which are key prerequisites for effective, risk-based security decision making. The increasing adoption of digital business strategies has resulted in citizen IT initiatives that challenge conventional security and security risk governance practices. Recommendations Security and risk management leaders responsible for information security management programs should: Implement governance processes and activities that support accountability, authority, risk management and assurance. Institute governance roles and forums that will support decision making and oversight. Ensure that the right people, with appropriate authority to make governance decisions, are involved in the governance processes and forums. Implement Governance Processes and Activities That Support Accountability, Authority, Risk Management and Assurance The single most important goal of the governance function is to establish and manage clear accountability and decision rights for the protection of the enterprise's information resources. Without this, security policies will be ineffective, security processes will fail, moral hazards will prevail and risks will not be controlled. Set and Manage Accountability and Decision Rights The principle of owner accountability must be documented in an enterprise security charter ultimate accountability for protecting the enterprise's information resources and, by implication, its business processes and outcomes, rests with the business owners of the information resources. The biggest security weaknesses are often inherent in weak business processes, and these present major risks to the information and to business outcomes. The ESC must establish that the resource owners have the authority to make the risk-based decisions required to fulfill their accountability. Resource owners are typically business process, application and data owners (i.e., the roles that own the security risk). When clear business resource ownership cannot be identified (e.g., in cases of shared information and infrastructure), the accountability, risk ownership and associated authority must be vested with the CIO, or another central function, such as the COO (Haimes, 2015). The detailed accountability and decision rights for the security and risk processes should be documented and communicated through the use of responsible, accountable, consulted and informed (RACI) charts. The ESC must also provide a clear mandate for establishing and managing an information/cybersecurity program, including determining its scope. This mandate typically vests the chief information security officer (CISO) with the responsibility and authority to run the program. Digital business transformation provides new challenges to security and risk governance, and it is imperative that the six principles of trust and resilience in digital business are also captured in the ESC. One practical manifestation of the accountability and decision rights for security risk is the policy management process and framework that the resource owners, CIOs and CISOs must use to implement their risk control decisions. The CISO is responsible for defining a security policy hierarchy and process that will make this as easy and effective as possible. Another practical manifestation of accountability is the structure of the security organization. There is no single best-practice template for the security organization; however, from a governance perspective, it is important to optimally balance the assurance, strategic and operational processes and tasks in a practical organizational model. In the context of digital business, the onus is on senior leadership to invest in developing and recruiting the new skills required for such processes as agile and Mode 2 development, which increasingly integrate operational technology and the Internet of Things (Schneider, 2014). Decide Acceptable Risk The second major goal of the governance function is to decide levels of acceptable risk. This entails empowering the resource owners, the CIO and the CISO with the context, skills and resources to perform appropriate risk assessments. Based on the results of these assessments, the resource owners must decide how much risk is acceptable, as well as how to deal with the unacceptable risk at a defined cost. The risk treatment plan must then be approved by the relevant governance body and formalized in policies and appropriate controls. In a digital business environment, this implies that all the relevant parties understand and can deal with the potentially conflicting risk appetites inherent in both agile and Mode 2 projects. An important element of managing risk it to understand that individual resource owners might have different risk appetites, and that these could conflict with the formal corporate risk appetite or with the risk appetites of other resource owners. Hence, a key governance function is to implement and manage a process to arbitrate among conflicting risk appetites. Typical conflicts that require arbitrations include situations in which: A resource owner believes he or she has a valid business reason for requesting exemption from existing policy or control requirements for an application or system. Different resource owners have different risk appetites hence, different security control requirements for their systems, even though these systems will share infrastructure. The prevalence of this type of conflict increases in organizations embracing digital business development strategies. A business owner may be willing to accept a risk, but the risk exceeds the enterprise's risk appetite. Enable Risk Control The third governance goal is to enable effective risk control within a context of limited financial and human resources. The key enabler for effective risk control is to establish: A formal security program that implements and operates the security controls. In too many organizations, these security programs look to implement controls for the sake of having controls (often guided by some arbitrarily selected control framework), rather than understanding the real risk context. Although the security team is typically responsible for the practical implementation and operation of most security controls, the governance function must ensure the proper prioritization of security investments, based on the criteria of expected risk reduction, the resource requirements and the expected time to value of the respective projects in the roadmap. A strategic planning capability that enables the organization to develop and refine a roadmap of investments that recognizes continuous change in the business, technology and threat environments. The increased velocity associated with digital business means that organizations are increasing the frequency (and decreasing the planning horizons) of their strategic planning activities. In the past, enterprises commonly developed security strategy plans with three- to five-year horizons every three years; however, most now have an annual plan with a two- to three-year planning horizon. More-mature organizations are formalizing a quarterly review of their security strategies to make timely adjustments, based on changes in the business, technology and threat environments. Assure Control Effectiveness The fourth governance goal is to assure control effectiveness. This typically entails periodic policy and control compliance assessments, including evaluating the retained risk and deciding whether additional remedial investment is required. This function also includes ensuring that prescribed security controls are integrated into new applications or infrastructure projects, before they are accepted into production. Finally, this entails collecting appropriate metrics operational and assurance metrics. They should be reported regularly to the security governance bodies and to executive leadership. Institute Appropriate Governance Roles and Forums Security accountability is often neglected or misunderstood. Organizations often view the CISO as the single, accountable role for the security posture of an organization. However, mature organizations understand that the accountability for the security and risk position of the organization rests with the senior executives who are ultimately responsible for the resources and business processes that support the organization's business outcomes. The CISO is accountable for identifying security risks and for implementing security controls; however, the governance function, as typically represented by an enterprise security steering committee, is ultimately accountable for setting the security and risk direction of the organization and ensuring that the CISO has the required resources. The CISO is also responsible for ensuring that the responsible executives make prudent decisions, but the executives themselves are accountable for those decisions. Although leading organizations understand this and have accountability models that implement a chain of responsibility that aligns with this approach, Gartner speaks with many organizations that have more-traditional approaches in which the CISO bears a large, if not complete, degree of responsibility and accountability, often without the necessary resources and authority. Setting such an accountability model in written form in the ESC and via a RACI chart can clarify the requirement s expected from the role players. Midlevel Forums Large organizations often attempt to achieve scalability in their governance processes by instituting midlevel counsels or committees. Typically, the primary focus of such forums is to provide local governance in decentralized or federated enterprises. In organizations that have experienced issues with participation and support for information security, such additional layers of governance can contribute to greater levels of buy-in. The main activities are to agree on local security policies and standards, to monitor localized security projects, to act as local representatives of the executive sponsor and the corporate steering committee, and to report back to these functions on general policy compliance and emerging issues (McNeil, 2015). In as much as the adoption of digital business strategies is driven from within the business units, rather than from central IT, regional forums can play an effective role in governing citizen IT projects. Membership typically consists of the CISO, regional and midlevel business managers, and local IT management. These forums generally meet monthly. Cyber/Information Security Teams Although security teams typically have management and operational responsibilities, a sizable part of the functions of these teams is oversight (i.e., they "ensure," rather than manage or execute). Such functions include the development of security policy, the oversight of IT projects (including risk assessments), and policy compliance scanning and monitoring. The team also acts as an initiator and consolidator of governance reporting functions. Ensure That the Right People Are Involved in Governance Activities Common governance mistakes include: Populating the governance forum with IT and/or security staff, leading to security and risk decisions that do not reflect the organization's business needs Allowing senior staff to send delegates to attend meetings, which leads to moribund committees that are either unwilling or unable to set direction and make difficult, unpopular or expensive decisions. The effectiveness of information security and risk governance depends heavily on the profiles and attitudes of the people involved in the governance bodies and processes. Participants must have the authority to make decisions, commensurate with the scope of the relevant forum or function, on behalf of the constituencies that they represent. Although participants might occasionally have to defer to their line management on major decisions, they should be able to decide on most issues without resorting to this. One pitfall to avoid is having appointed members of committees regularly (or permanently) delegate attendance at these forums to their juniors. One way to avert this is to have a rule that absence or delegation to a junior implies agreement with all tabled decisions in other words, there is no right of veto in absentia or by a delegate, unless the member is on approved leave or travel. Furthermore, committee members must fully "buy into" the objectives of the respective committees (making committee membership a formal job specification requirement might help). Without the right profiles and attitudes of members, governance forums have the tendency to develop into ineffective debating societies. Risk management is an explicit recognition that there is no such thing as perfect protection. When dealing with cloud computing risk, organizations must make conscious decisions regarding what they will and will not do to mitigate cloud risks. An effective risk acceptance process must work in conjunction with the stakeholders in the non-IT parts of the business, ensuring that they can express the anticipated benefits of every cloud use case. Every business decision presents residual risk that must be accepted. Even some very significant risks may be worth the business gain. The risk stakeholders have choices. They can choose to accept more risk with lower security investment, or lower risk with higher security investment. It is a legitimate business decision to accept any level of risk that executive decision makers choose. However, risk acceptance decisions made without an appropriate risk assessment and consideration are not defensible. Accepting Cloud Risk Is OK Defensibility is at the center of success with this model. Are the assertions of risk accurate? Are the trade-offs appropriate? Do you have enough information to make a good and defensible decision? Unfortunately, in many circumstances, these risks do not have supporting quantifiable data similar to the actuarial tables used in the insurance industry. You will have to use imperfect data to guide your decisions. As in any risk scenario, where decisions may need to be explained in the future, follow a consistent internal risk acceptance process, and maintain documentation that explains the underlying assumptions. Organizations that are comfortable with ambiguity, in which individuals are empowered to make risk acceptance decisions without a highly formal business case, will find it easier to take advantage of public computing. Highly risk-averse and bureaucratic organizations often struggle to make nuanced decisions, and are probably not good prospects for putting sensitive use cases into the public cloud. Although it is often less risk-transparent than traditional computing models, public cloud computing is an increasingly useful and appropriate form of computing, and, in some cases, it can have security and control advantages. This risk decision model is about gathering information, weighing options, and making pragmatic decisions based on the best available information. Don't let your security people scare you into missing an opportunity or allow your project managers to proceed without proactively gathering available data. Hold everyone in the process accountable for defending their decisions about security spend, go/no-go and prioritizing their activities. The only real failure is to proceed without a proactive consideration of risk. Once you weigh the alternatives, there is no wrong decision. The guidance for implementing a risk-based approach has been consistent for many years, yet most organizations struggle. An example from the Dutch National Police proves that it can be done effectively, and this approach demonstrably improves decision making and executive engagement. CIOs need to take a risk-based approach to address technology dependencies in the organization that supports business outcomes. This goes beyond technology risk and security, and extends to the support of the IT budget and the business value of IT. CIOs should not just delegate technology risk and cybersecurity to a siloed risk and security team; instead, they should take an active role in developing a risk-engaged culture throughout the IT department and with non-IT stakeholders. The limitations of traditional approaches to technology risk and cybersecurity are evident through the continuous headlines and data breach notification letters. Globally, executives, regulators, auditors, governments and the general public are all rightfully concerned and seeking answers. Certain truths are now evident: Checklists, compliance and baselines don't work. These approaches result in overspend in some areas and underspend in others, and fundamentally ignore the unique requirements of each organization and situation, resulting in poor protection from real threats (Reamer, 2013). There is no such thing as perfect protection. This should be obvious, but many non-IT stakeholders still treat technology risks like a technical problem, handled by technical people, and believe that the right spend, people and technology will solve the problem. Accountability is broken. Many organizations still use accountability to choose who to fire when something goes wrong. This toxic behavior stifles transparent conversations about real solutions to real problems. Address Auditor/Regulator Concerns When Checklists and Baselines Are Abandoned Regulators and internal auditors are challenged with overseeing and judging a system that allows organizations to consciously accept risk. Checklists and baselines are easy to audit, but they do not achieve appropriate levels of protection balanced against the need to run a business. Losing these crutches changes the very nature of third-party oversight, and most internal audit departments and regulators are not prepared for this change. Auditors and regulators hold great power, and if they continue to use outdated methods for oversight, they will hold organizations back. Executives are reluctant to put their careers at stake to accept risk, when it is easier to just do what the auditors and regulators tell them to do. This is a vicious cycle that keeps organizations from appropriately protecting themselves, and it must be broken for progress to be made. The good news is that risk-based approaches are not new, and many regulators and auditors have been working to understand and engage in auditing risk-based approaches. Indeed, most frameworks and regulations mandating cybersecurity have become risk-based. The challenge remains that most auditors and regulators fall back into old checkbox approaches when faced with the responsibility of signing off on someone else's risk acceptance choices. Guidance: CIOs need to move to a risk-based approach for the benefit of their organizations, despite the challenges presented by regulators and internal auditors. Gaining the trust of regulators is a multiyear effort. In the first year that regulators are presented with a risk-based prioritization of controls, they will inevitably reject it. In the second year, they will grudgingly look at it, but maintain their old approach to checking boxes. In the third year, they will learn from the risk-based approach, and begin to develop an eye for defensibility and rigor in a good assessment. CIOs must understand this evolution, remain patient and work with the regulators as they come up to speed. Kleijn points out that CIOs must stand firm in the face of pressure to revert to checkbox approaches or as the Dutch say, "straighten your back." CIOs need to work with their audit committee directly to change this perspective. They need to break the belief cycle that something is not a problem unless audit writes it up. The business value of taking a risk-based approach is clear, but it will take time to change perspectives and create defensibility with good assessment processes and reporting. Reality Check Applying These Lessons in a Large Enterprise These lessons are applicable in every industry public, private and defense. However, they come with significant challenges. It took the Dutch National Police 10 years to instill the culture to implement these processes, but they are experiencing great value, so the results are well worth the journey. Most organizations are not ready to implement a similar process and immediately get the same value. CIOs must apply these lessons over time, and patiently work to change their organization with the long-term support of non-IT executives. References: Galliers, R. D., Leidner, D. E. (2014).Strategic information management: challenges and strategies in managing information systems. Routledge Haimes, Y. Y. (2015).Risk modeling, assessment, and management. John Wiley Sons Lam, J. (2014).Enterprise risk management: from incentives to controls. John Wiley Sons McNeil, A. J., Frey, R., Embrechts, P. (2015). Quantitative risk management Neves, S. M., da Silva, C. E. S., Salomon, V. A. P., da Silva, A. F., Sotomonte, B. E. P. (2014). Risk management in software projects through knowledge management techniques: cases in Brazilian incubated technology-based firms.International Journal of Project Management,32(1), 125-138 Reamer, F. G. (2013). Social work in a digital age: Ethical and risk management challenges.Social work, swt003 Sadgrove, K. (2016).The complete guide to business risk management. Routledge Schneider, E. C., Ridgely, M. S., Meeker, D., Hunter, L. E., Khodyakov, D., Rudin, R., ... Harpel, J. (2014). Promoting patient safety through effective Health Information Technology risk management.Santa Monica, CA: RAND Schwalbe, K. (2015).Information technology project management. Cengage Learning Smith, K. (2013).Environmental hazards: assessing risk and reducing disaster. Routledge Teller, J., Kock, A., Gemnden, H. G. (2014). Risk management in project portfolios is more than managing project risks: A contingency perspective on risk management.Project Management Journal,45(4), 67-80 Willcocks, L. (2013).Information management: the evaluation of information systems investments. Springer Schubert, G. A. (1960).The public interest: A critique of the theory of a political concept. Free Press of Glencoe Mizutani, F., Nakamura, E. (2015).To What Extent Do Public Interest and Private Interest Affect Regulations? An Empirical Investigation of Firms in Japan Through an empirical analysis of firms in Japan, this paper investigates to what extent the public interest and the private interest theories, respectively, explain the actual regulatory process. Our estimation findings are as follows. First, the explanatory power of the public interest theory is higher in non-public utility industries, while that of the private interest theory is ...(No. 2015-21). Kobe University, Graduate School of Business Administration Sanday, P. R. (Ed.). (2014).Anthropology and the public interest: Fieldwork and theory. Academic Press Baudot, L., Roberts, R. W., Wallace, D. M. (2015). An examination of the US public accounting professions public interest discourse and actions in federal policy making.Journal of Business Ethics, 1-18 van Witteloostuijn, A., Esteve, M., Boyne, G. (2016). Public Sector Motivation ad fonts: Personality Traits as Antecedents of the Motivation to Serve the Public Interest.Journal of Public Administration Research and Theory, muw027 Duhigg, C., Barboza, D. (2012). In China, human costs are built into an iPad.New York Times,25 Hannah, D. R., Robertson, K. (2015). Why and how do employees break and bend confidential information protection rules?.Journal of Management Studies,52(3), 381-413 Heracleous, L., Papachroni, A. (2012). Strategic leadership and innovation at Apple Inc.case study. Coventry: Warwick Business School