new dynamic threats requires new thinking – “moving beyond compliance”
TRANSCRIPT
ava i lab le a t www.sc iencedi rec t .com
www.compsecon l ine .com/publ i ca t i ons /prodc law.h tm
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156
Risk management – Beyond compliance
New dynamic threats requires new thinking – ‘‘Movingbeyond compliance’’
Bill Woloch
BearingPoint�, Florida, USA
a b s t r a c t
Threats today are much more flexible, stealthy, and dynamic than they have ever been.
Current efforts by IT professionals and risk managers have had little impact in the mitiga-
tion of these threats. When you combine this trend with a renewed focus on protecting soft
assets, such as intellectual property and reputation, a new approach is needed that swings
the pendulum back toward the computer user as an active participant in the risk mitigation
efforts. Building risk management responsibilities into each employee’s job description,
and holding each employee accountable, is the first step in the process of combating
today’s threats. Risk managers and security professionals must also understand that by
taking a holistic view of organizational risk, they can effectively work with human resource
managers to ensure that everyone is doing their part in the organization’s risk manage-
ment effort. Compliance is no longer feared by those that it affects, but has turned into
a byproduct of a greater effort to effectively match competencies against organizational
objectives, resulting in a risk management effort that actually reduces mitigation costs
and increases effectiveness.
ª 2006 Bill Woloch. Published by Elsevier Ltd. All rights reserved.
1. Introduction
The nature of cyber threats over the last 10 years has become
much more dynamic than in the past. Previously, when
threats were successfully repelled, it took days, weeks, or
even months for threats to regroup and rethink their approach
before trying again. During this time of regrouping, organiza-
tions had the time to analyze what worked and what did not
work in their risk mitigation strategy. That is not the case to-
day. New strains of viruses can be morphed and new attacks
begun in a matter of hours, not days. Hackers work in loosely
organized groups from numerous locations around the world,
successfully hiding the origin of the attack. Organizations
spend anywhere from $247 to $643 per employee1 on com-
puter security, not an insignificant amount of money.
Today’s threats are much more dynamic and adaptable than
in the past. IT tools help the bad guys as much as they help the
good guys. This situation is far from balanced. The bad guys
have the advantage. Loose confederations of hackers, or even
government sponsored cyber threats, leave few, if any, traces of
their origin or of the security event itself. Added to the challenge
of locating remote threats, we are faced with the ongoing prob-
lems involving insider threats. Statistics have repeatedly stated
that 70% of security events involve insiders to accomplish their
attacks. Risk and security professionals in turn rely on IT based
tools toflushout theseperpetrators,oftenwithout muchsuccess.
Let us take a moment to discuss one of the most prevalent
forms of dynamic threats, that is, insiders. What motivates
them, and what related events impact the number of insider
assisted security events in an organization? IT security
1 CSI/FBI Computer Crime and Security Survey, 2005.
0267-3649/$ – see front matter ª 2006 Bill Woloch. Published by Elsevier Ltd. All rights reserved.doi:10.1016/j.clsr.2006.01.008
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156 151
professionals have felt topics such as is these are relevant only
within their domain. Take the recent example at Hollinger
International.
‘‘The Securities and Exchange Commission may charge
directors who served on Hollinger International Inc.’s audit
committee for allowing an alleged fraud to take place un-
der their nose, according to Bloomberg, citing two people
with direct knowledge of the matter.’’2
The Federal Government is taking directors’ responsibili-
ties seriously; yet how do directors, executives and managers
ensure that insider threats are minimized and eliminated?
The issue becomes even more critical when you examine
the large gaps in mitigating risks of soft assets, such as repu-
tation and intellectual property. Organizations are finding that
these assets are an important part of their market capitaliza-
tion, and are often not insurable.
Conversely, problems like off-shoring, downsizing, acci-
dents, work place violence and more are typically seen as hu-
man resource problems, which sometimes require the help of
other departments like physical security or the safety depart-
ment. The two viewpoints are actually not mutually exclusive
(what are the 2 viewpoints?). Over the last few years, different
parts of organizations have begun to see the direct and indi-
rect impacts that computer related threats have on the organi-
zation as a whole.
Dr. Paul Viollos, President of Risk Control Strategies, re-
cently stated that insider actions involving the dissemination
of computer viruses or IT equipment sabotage are considered
a form of work place violence. Similar views are held by other
experts in related fields. Dr. Viollos is frequently interviewed
by major news outlets and most recently has had teams in
place in New Orleans investigating assaults at the Superdome.
Dr. Viollos commissioned a study on the effects of work place
violence and the results showed that for a public company,
one instance of publicized work place violence causes com-
pany stock to decline in value by a factor of 15% for an average
of 250 days. When we think about the capitalized value of many
companies today, the numbers can add up to hundreds of mil-
lions of dollars. Remember, work place violence includes in-
sider threats to network systems. Downsizing and off-
shoring also motivate insiders to pose threats to a company.
Sabotaging servers, introducing viruses, destroying critical
data, are all real-world malicious activities performed by in-
siders and/or remote threats.
All of a sudden, the relationship between dynamic threats
and insiders becomes much clearer. It is not to say that all
insider threats and dynamic threats in general are related to
work place violence, but when you combine the other ‘‘human
resource’’ problems we mentioned earlier, the picture we see
is one that the CIO, CSO, and corporate security can not suc-
cessfully mitigate all threats faced by organizations today.
Today’s enterprise risk management approach seeks to
break down the organizational silos, facilitate the mitigation
of threats, and, at the same time, continue to use compliance
as part of the risk management solution. By taking a holistic
2 http://select.nytimes.com/gst/abstract.html?res¼F20F17F834550C768DDDAB0994DD404482.
view, standards, frameworks, and metrics are still used, but
‘‘compliance’’ is a byproduct of risk management approach.
Meanwhile, threats and vulnerabilities are monitored in
near real-time, and mitigation is continuously implemented.
Let us examine the role static and dynamic security sys-
tems play in today’s new threat environment, so we can better
understand the role internal controls and compliance play in
risk management and security.
2. Static and dynamic security systems
Security systems can be classified as one of two categories,
static or dynamic. Dynamic systems are just what the words
say they are adaptable, flexible, resilient, and elastic. They
rely less on technology and more on people.
Dynamic systems do not need additional programming
and new costs each time the threat and situations change.
They are also the most expensive. People are not cheap, yet
it has been proven time and time again – you get what you
pay for. Technology should be viewed as an enabler to
dynamic systems, instead of a replacement. Static security
systems, as the name implies, can be characterized as rigid,
difficult to modify, and inflexible. For example, a concrete bar-
rier or gate, once installed, can change little to defeat changing
threats. The same holds true for technology. Software and
hardware upgrades come out periodically, yet the threat is
constantly changing.
Look at the vicious cycle of hackers and IT security soft-
ware. Each time a new version of a tool is made available for
sale, hackers find and exploit the weaknesses. The software
companies fix the weaknesses, and the hackers find new
ones. The cycle never ends.
Technology cannot take the context of a threat situation
and make decisions. People can. Yet many organizations
spend millions of dollars on technology-based security solu-
tions, only to discover that they still have vulnerabilities.
Used properly, technology does close vulnerability gaps by
enabling people to do their jobs more effectively in protecting
assets. How many terrorists or criminals are located and
captured by technology alone? It is the people who use the
technology that protects us against these threats.
3. Security system design
All security systems have weaknesses. When technology is in-
troduced into a security system, its weaknesses are much more
difficult to discover and protect. User interfaces hide the com-
plexity and vulnerabilities of technology security solutions.
Designing security systems requires testing against a num-
ber of threats to find new vulnerabilities. The testing is per-
formed each time a new component is installed and before
the threat strikes. Thus, the security solution weaknesses
are discovered (what made them fail) and adjustments are
made accordingly to protect those weaknesses. We are also
less prone to fully test complex systems to determine their
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156152
weaknesses, resulting in insecure systems that may be more
vulnerable upon introduction of a new component.
For instance, over the last few hundred years, prisoners
have sat in their cells all day, every day, using plastic utensils
to destroy door hinges, locks and anything else that they can
find. They have had the time and opportunity to discover
and attempt to defeat the protection against abuse in all
prison cell components. Modern prison cell construction
uses pre-cast concrete, doors with minimum clearances, and
tempered steel construction.
The same holds true with technology. The difference is,
unlike the prison cells, which can be inspected daily for
tampering, tampering with technology (i.e., hacking); is
much more difficult to discover and defend against. User
interfaces designed for ease of product use hide complex sys-
tems underneath. These systems have vulnerabilities that
most organizations do not and, many times, cannot detect.
Testing for vulnerabilities in technology-based security
solutions is minimal at best. Consider the testing done on
a bullet-proof vest. The prototypes and production units are
initially tested in labs replicating real-world conditions. They
are also tested by actual use in the field. On the other hand,
when a new technological tool is developed, and tested in
even the client’s labs, very few end users continue to test
once the solution is implemented. This lack of field testing
gives threats the opportunity to exploit vulnerabilities
unknown to the client.
Security systems can also fail at the edges. By ‘‘the edges,’’
we mean where different security system components meet
each other. For example, a blind spot between 2 cameras, or
an access control system and its interface to the human
resource database which are not kept continually in sync.
Technology based security systems, due to their static nature,
can cause exponential damage, due to the fact once hackers
find a vulnerability in a popular technology-based security
tool, they can exploit the same vulnerability across(?) hundreds
of companies that use the same tool.
Well-designed security systems are centered on people,
and utilize technology to maximize the value people bring,
while adding minimal new vulnerabilities inherent in the
technology itself. A wall or locked gate will not stop threats;
it is the people behind them who are the deterrent.
4. Compliance based approach
Despite the new paradigm of dynamic, adaptable threats,
many organizations still use the same approach to risk mitiga-
tion they have used for years. They have a small cadre of
experts (accountants, IT security and physical security experts,
and others) who are tasked to mitigate risk. The challenge
they face is monumental because the executives for whom
they work have given them the charter of compliance, compli-
ance and compliance.
A compliance based approach to risk management can be
characterized as being:
� cyclical (time based) – metrics are designed to be reviewed
over a long period of time (quarterly, annually);
� fear of failure – grading systems force organizations to focus
on the metrics for each period and not necessarily longer
term solutions that may be more cost effective;
� organizational silos are sustained, because each silo
(finance, operations, human resources, IT, internal audit,
etc.) has different metrics based on different standards.
Along with this sometimes zealous focus on compliance
comes the periodic and cyclical approach to risk that uses
static ‘‘snapshots’’ to determine an organization’s ability to
defend against threats; often performed on an annual basis
to ‘‘comply’’ with the latest standards and frameworks.
Many times, the compliance approach holds individuals
accountable, but there is little granular measure as to the extent
of compliance. Metrics are often designed to determine
whether some process or task is ‘‘being done or not being
done’’ at the individual level, leaving a gap with regard to
the extent of compliance. All of these efforts work within
a time dimension (annual tests, reviews, updates), which
support the compliance mentality.
How does this ‘‘compliance’’ approach to risk management
facilitate the organization’s ability to actively defend itself
against a dynamic threat that can quickly adapt and re-attack
in hours?
Professor Mark Davies3 of Fordham Law School has written
on the topic of compliance based conflicts of interest issues.
His thoughts clearly delineate the advantages and drawbacks
of a compliance based system which is directly applicable to
risk management and security:
‘‘.In a compliance-based conflicts of interest system, laws
and regulations prohibit specific interests and conduct.
.This approach offers one substantial benefit: it gives
clear guidance to public officials on what actions are
permissible and what actions are not. This approach,
however, contains two overwhelming drawbacks.
First, it transforms correct government conduct into a se-
ries of rules. As a result, a compliance-based approach is
divorced from those values and ethics that promote a pub-
lic service that is not merely non-conflicted but that is affir-
matively devoted to advancing the public good. Since in
a compliance-based system what is not prohibited is al-
lowed, that system invariably focuses officials’ attention
not on doing what is right but on not doing what is wrong,
not on doing one’s best but on not doing one’s worst.
Second, as a related point, a compliance-based conflicts of
interest system cannot promote the essential values of the
nation because rules are negative whereas values almost
invariably reflect positive and aspirational principles. Rules
do not inspire. Values do.’’
3 ‘‘A Practical Approach to Establishing and Maintaining AValues-Based Conflicts of Interest Compliance System’’, page 9,by Professor Mark Davies, Adjunct Professor of Law, FordhamUniversity School of Law.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156 153
Professor Davies makes the point that compliance intones
a ‘‘do not do this’’ approach to conflicts of interest vis-a-vis
risk management instead of a pro-active, values based
approach. The inspiration he speaks about is the fuel for
a dynamic risk mitigation approach which relies on people
and technology equally.
Dynamic threats require a dynamic response. What is
needed is a different approach to risk management that cre-
ates a self-perpetuating, near real-time mitigation strategy
that requires everyone in the organization to mitigate their
portion of the risk management universe – like molecules in
science, where the sum of the parts is greater than the whole.
Using this new model of thinking, organizations can develop
a new risk management strategy that counters the threat’s
ability to rapidly adapt. This viewpoint and the subject of
this paper, run counter to the popular thinking that ‘‘people
are the weak link in security’’ and technology can reduce
risk, despite people pasting their passwords on their monitors.
While there are certainly many security incidents that involve
carelessness, mistakes, and even direct threats from insiders,
many of the tools that support network security efforts on the
users end tend to be cumbersome and difficult to use. Often
because of lack of funds, the proper tools are not procured,
resulting in work-arounds. Usually there is very little, if any,
training of individuals regarding security and risk manage-
ment in an organization. Security is viewed as a necessary
evil that does little to add to the bottom line. No wonder users
and IT security professionals are frustrated.
IT security experts today rely on a number of products,
standards, and processes to accomplish their security identifi-
cation and assessment tasks, and provide their recommenda-
tions to CIO’s and other senior executives. Yet when closely
examined, this process needs to be periodically repeated to
provide and sustain any value to the organization. This ap-
proach also costs organizations thousands of dollars, tying
up valuable resources each time a security assessment is per-
formed. Standards, frameworks and metrics are always evolv-
ing, making it more difficult for the security professional to
provide a solution roadmap to his organization that does not
require another assessment in a year or so. Traditional and
enterprise risk management both rely on some form of verifi-
able measurement, most often relying on differing standards,
frameworks and metrics; usually within a cyclical time frame
dependency. Risk managers and IT security professionals tend
to rely heavily on static defenses. These include a host of IT
tools that are modified annually as ‘‘versions’’. Certainly virus
definition files are updated hourly, but still cannot react in
a real-time, dynamic manner against today’s rapidly adapt-
able threats.
Risk is a slippery slope traveled by many, and purported
to be understood by executives. Get two risk management ex-
perts in a room, one financial and another IT, however and all
of a sudden they are unable to discuss risk. Each risk manage-
ment expert will put risk in a different context, using a differ-
ent vocabulary, definitions, metrics, processes, and standards,
these differences occur because of the silo’d, compliance
based, mentality we all have today. Ask each expert to list
the overall risks to the organization, and their lists will con-
tain different items and will vary in length. This conundrum
regularly results in different viewpoints that do little to
provide executives a comprehensive risk profile on which to
base decisions. Even the formula for risk is different for these
two risk managers.
� Financial risk managers use sophisticated computer models
to calculate risk.
� IT professionals use the Federal Government definition
likelihood� impact¼ risk.
� Other risk managers equate risk with threat� vulnerability -
asset value.
5. Enterprise risk management
To address the issues we have presented so far, executives
and risk managers have begun talking about issues such as
risk profile and enterprise risk management as solutions to
these complex issues and problems. CIO magazine defines
enterprise risk management4 (ERM) as:
‘‘. the process of planning, organizing, leading, and con-
trolling the activities of an organization in order to mini-
mize the effects of risk on an organization’s capital and
earnings. Enterprise risk management expands the process
to include not just risks associated with accidental losses,
but also financial, strategic, operational, and other risks.’’
No where in this definition do we find the ‘‘how’’ to assess
or mitigate against dynamic, adaptable threats. Enterprise risk
management also relies on a compliance based approach to
risk. As we discussed earlier, this traditional approach to
risk does little to enable organizations to dynamically
protect their assets and vulnerabilities against today’s loosely
knit and dynamic threats.
6. Holistic approach
A holistic approach to risk management can be defined as not
only the management of all risks in an organization, with con-
sideration to all risk interdependencies, but also the integra-
tion of risk management itself into the organization, its
processes and culture. It focuses on the effect each of four
elements of risk if broken out organizationally, (financial,
physical security, health/safety, IT/technology) have on each
other, paying particular attention to the impact hidden tech-
nology weaknesses have on the other three areas and the
internal controls of an organization. Therefore, holistic risk
management is not only aligned with traditional views of
risk, but with the overall impact on the success of the organi-
zation in achieving its overall goals from a value based per-
spective. Professor Davies again discusses the benefit of
such an approach.
‘‘. The second approach to a conflicts of interest system is
values based. A values-based conflicts of interest system
4 http://searchcio.techtarget.com/sDefinition/0,,sid19_gci508983,00.html.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156154
exhorts public officials to strive for and attain certain
standards.
.Properly crafted, this approach clearly promotes essen-
tial national values. It also encourages the official always
to strive toward an ideal, not to do the ethical minimum
but to do the ethical maximum. Such a system properly de-
serves the name not merely of a conflicts of interest system
but of an ethics system, for by professing values, not merely
rules and regulations; it inculcates in public officials ethical
standards. But a values-based conflicts of interest system
possesses one devastating drawback: it provides no clear
guidance to public officials as to what is and what is not
permitted in actual, real-life circumstances and thus also
offers little reassurance to the people that their public offi-
cials are in fact acting in the public interest.’’
A holistic approach to risk management relies on everyone
in the organization to identify and assess threats and vulner-
abilities and help in risk mitigation as part of their job and
organizational culture. This results in the creation of a values
based system in an organization where the sum of the parts is
greater than the whole. Individual risk responsibilities are
built into all job descriptions and reinforced by being included
in performance reviews and individual goal setting; in other
words, individualized metrics. A person’s ability to keep his
job will depend on the knowledge and skill he has in perform-
ing his duties while managing the risk that comes with them.
Each employee will be rewarded when they succeed, and dis-
ciplined when they don’t fulfill performance objectives, in-
cluding risk mitigation, to include dismissal, if they fail to
manage their portion of the organization’s risk.
Guidance on ‘‘what not to do’’ still comes from compliance
requirements. But compliance is now a byproduct of risk
management because the ‘‘fear of failure,’’ in a traditional
time based (cyclical) compliance approach, is considered sec-
ondary to the desire of the organizational employee base to
manage their part of the organization’s risk on a day-to-day
basis.
HRM, or Holistic Risk Management, can be an integral part
of the culture of the organization; resulting in continual ‘‘real-
time’’ risk management that is self-sustaining and self-heal-
ing; and which is being practiced by everyone in the organiza-
tion. In this environment, compliance is a byproduct and not
a goal and, since risk management is integrated throughout
the organization, time is no longer a dependency, because
risk management is being performed by all of the organiza-
tional members, at all levels, on a real-time basis. The risk
of failure and missed deadlines are contained within the
normal working parameters each person in the organization
already faces on a day-to-day basis, so energies can be focused
on organizational goals, vis-a-vis, sustainability and profit.
Cultural ChangeCultural ChangeCyclicalCyclical Real TimeReal Time
Traditional RM
Internal Controls
Holistic RM Internal
Controls
Inherent controls promote:
• Purpose
• Capability
• Commitment
Described by:
• Motivating trust and relationships,
• Systems thinking,
• Developing a learning organization,
• Matching competencies with objectives.
Differing Standard
1. Establish baseline (Assessment)
2. Gap Analysis
3. Policies and procedures review
and adjustment
3. Involve Internal Audit & HR from
the beginning
4. Education of executives and
their subordinates
5. Get the message out / walk the
talk.
Steps to Holistic Risk Mgmt. Inherent Controls
Roadmap to Holistic Risk Management
Cyber
Standards
Federal
Government
Standards
Commercial
Standards
International
Standards
NIST
(CSEAT)
GAO
FEMA
CIAO
GSA/PBS
SCADA
Encourages organizational silosFocused on regulatory andfinancial requirementsLittle communication between departments
ASIS COSO
ASTM AS:4360
NFPA 5000
NFPA 101
ANSI
BUILDING
CODES
IEEE/OSE
Enterprise RM
Internal Controls
•••
•••
.
IntrenalAudit
CEO
Finance Operations IT HR
Employees
Silo Silo Silo Silo
Less
Less
Mor
e
Mor
e
Inherent Inherent
Reviewing Reviewing
ReportingReporting
Formal Formal
Info
rmation &
Info
rmation &
Com
municatio
n
Com
municatio
n
Awareness of risk increasedCross-enterprise risk identifiedCoordination across business units for more effective mitigation
Complete/consistent risk informationCommon risk language establishedShareholder value protected/enhanced
Controls
Fig. 1 – Roadmap to holistic risk management.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156 155
Enterprise risk managers argue that ERM does many of
the things a holistic approach espouses, yet the definitions
of both bare little similarities. Fig. 1, below summarizes the
differences.
The compliance based approach used by traditional enter-
prise risk management professionals relies on a formal inter-
nal controls structure which supports a cyclical (not real-time)
process (formal control involves monitoring, reviewing and
reporting as in a traditional command–control style process
based on organizational hierarchy).
A holistic approach uses inherent controls, which occur
continuously and consistently throughout the organization
as part of normal business practice and, to a large extent,
such controls are self-sustaining. Elements that contribute
to an inherent control system include systems thinking, de-
veloping a learning organization, motivating trust and rela-
tionships, and matching competencies with objectives.
Inherent controls promote:
� purpose;
� capability;
� commitment.
And are described by:
� motivating trust and relationships;
� systems thinking;
� developing a learning organization;
� matching competencies with objectives.
The differences between the cyclical ‘‘compliance’’ based
approach and the self-sustaining approach are summarized
below:
Traditional and ERMapproach (periodic andcyclical)
Holistic risk managementapproach (near real-time)
� ‘‘Compliance’’ mentality
� Periodic repeated
‘‘compliance’’ audits
are necessary
� Competing and differing
standards, frameworks,
metrics perpetuate ‘‘silo’’
mentality
� Differing viewpoints
� No overall risk profile
� ‘‘Not my problem’’
attitudes
� Standards, frameworks,
and metrics still used,
and ‘‘compliance’’ is
a byproduct
� Threats and vulnerabilities
continuously monitored
and mitigation continuously
implemented
� Cultural change minimizes
‘‘silo’’ mentality toward risk
management
� Risk management
mind-set perpetuated
throughout the organization
Fig. 2 below summarizes the differences between the cycli-
cal ‘‘compliance’’ based approach and the self-sustaining
approach.
Holistic Risk Management is
self-sustaining. Traditional
and Enterprise risk
management are not; they
require periodic, discreet
efforts by a dedicated team.
Identifying the new threats - and
opportunities - from global
sources.
Adequacy of existing security
policies tools, and infrastructure to
protect vulnerabilities.
“Silo” response to incident
response and business continuity
planning to mitigate risk.
Cycle R
ep
etitio
n N
ecessary
Fram
ewor
ks –
Sta
ndar
ds -
Met
rics
Risk management is integrated and shared
by all members of the organization. Threat
assessment, vulnerability identification and
risk mitigation is performed on a
continuous near real - time basis.
Traditional & Enterprise Risk Mgmt. Holistic Risk Mgmt.
Holistic Risk Management is Self-Sustaining
Reporting Reporting
ReviewingReviewing
Holistic Risk Management is
self-sustaining. Traditional
and Enterprise risk
management are not; they
require periodic, discreet
efforts by a dedicated team.
Fig. 2 – Differences between the cyclical ‘‘compliance’’ based approach and the self-sustaining approach.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 150 – 156156
7. The last mile
Any time an organization uses a compliance based approach
to problem solving, efficiencies are limited and new ideas
are often suppressed. Educators have complained for years
that because of federal education guidelines, schools now
focus on ‘‘teaching the test’’ to get high school students to
pass the required competency exams, instead of preparing
children for adulthood and teaching the skills they will need
in college.
The same holds true for risk management and security.
Moving away from a compliance based approach to a more
holistic or integrated approach brings the focus where it needs
to be, on the problem, and not on compliance. In return, the
organization’s risk management efforts will become more ef-
fective and, in the end, self sustaining, because risk manage-
ment becomes a part of organizational culture, and is woven
into the fabric of the day-to-day activities throughout the or-
ganization. The benefits to moving in this direction include:
� reduced operating costs (less money spent on problems
such as work place violence, insider threat detection, etc.);
� number of security events reduced (insiders aware of new
culture, with more eyes watching);
� management and employee risk management expectations
more closely matched;
� less finger pointing when things go wrong;
� ownership of risk is where it should be, each person res-
ponsible for their part.
These benefits do not come for free. As with any effort,
there are obstacles to overcome. By capitalizing on the new in-
volvement of the human resources department and internal
audit to ensure everyone in the organization understands
their roles and responsibilities regarding risk, however, the
organization’s efforts become more value based, instead of
compliance based, resulting in a more effective risk manage-
ment effort.
8. Getting there
Executives can begin to move down the road to a less compli-
ance based and more holistic approach to risk management
and security by relying less on formal controls and more on in-
herent controls. This migration must include executives,
managers, internal audit and human resources to match indi-
vidual competencies to organizational objectives. This pro-
cess can be started by taking the following steps:
� establish baseline (assessment);
� gap analysis;
� policies and procedures review and adjustment;
� involve internal audit and human resources from the
beginning;
� education of executives and their subordinates;
� get the message out/walk the talk.
9. Conclusion
Today’s reality includes dynamic threats, which are many
times hidden from view, and may belong to loose confedera-
tions or even hostile governments. Risk management and se-
curity professionals have been fighting a valiant battle
against these threats. A holistic approach to these issues
seems to embody all of the characteristics that organizations
would want in combating today’s dynamic threats. Though
not a substitution for technical mitigation strategies; taking
a holistic view offers the best methodology to see risk mitiga-
tion efforts become fully realized. By its very nature, the holis-
tic approach provides the near real time and self sustaining
capability to allow risk management metrics to be collected,
analyzed and applied against the problems traditional enter-
prise risk management can not alone solve. In addition, soft
assets are further protected by everyone taking responsibility
for those assets, which traditional insurance policies can not
replace.
Furthermore, by encouraging an inclusive policy that holds
every person in the organization accountable to manage their
portion of the organization’s risk, organizations can begin to
mitigate the risks brought by new dynamic threats. Costs
are reduced, because the formal controls previously in place
(at considerable cost) can now be reduced or eliminated by us-
ing more cost effective inherent controls. The use of inherent
controls and a holistic approach also bring the added benefit
of addressing insider threats that can be exacerbated by
downsizing, off-shoring, and work place violence.
Corporate counsel and risk officers can easily point out the
benefits identified herein, and suggest to their boards that
the cost benefit of taking such an approach will come back
to the organization at the conclusion of each compliance
cycle. This is true because the inherent controls based
approach to risk management builds compliance into daily
activities by everyone in the organization, thus reducing the
time and expenditure necessary for audits and reviews. In
addition, the ability to detect insider threats; and the protec-
tion afforded to soft assets such as intellectual property and
reputation through the utilization of this approach will fill
the mitigation gap which a third-party insurance policy can
not cover.
Dr. Bill Woloch ([email protected]) Manager,
Public Services Security Practice, Business and Systems Aligned.
Business Empowered, BearingPoint�, Boynton Beach, Florida;
www.bearingpoint.com.