Philosophical phriday - strategic risk management (LONG)

Recently I enjoyed a lecture by a bank's economist to local business leaders concerning the NZ economy. Observing the blizzard of graphs, I was struck by his short timeline, stretching to about a couple of years ahead.

Now I'm sure the economist is earning his crust at the bank. Of course they need to keep on top of day-to-day and month-to-month fluctuations in the economic parameters, playing the markets. Equally, I'm sure the bank has other experts with a longer-term outlook, diligently modelling the implications of national and global issues including political, social, environmental and technological, for many years or decades ahead - for at least as long as the bank's mortgages and business loan periods anyway.

Nevertheless, that prompted me to think about planning horizons in information risk and security management, within the broader context of budgeting and investment management in any commercial organisation - a pertinent topic as we plummet towards the new calendar year and, for many, the new financial year.

The 2025 departmental budget is perceived by some CISOs as their absolute top priority and immediate focus at this time of year, for understandable reasons: they need senior management to allocate sufficient organisational resources to operate effectively and so provide an adequate service level for the year/s ahead. If the organisation has been performing badly and must reserve/ration its dwindling resources, epecially if management forsees continuing tough economic conditions ahead, corporate resources are probably going to be tight during 2025.

Aside from any cunning plans to invest in improvements, a substantial baseline level of expenditure is generally implied by the need simply to maintain current capabilities such as compliance obligations - or else risk (further) degrading the level of security, doubtless increasing the frequency and severity of incidents. 

Fair enough, but that's quite reactive or retrospective so far. So what about the forward view - investing for the future, substantially improving the corporate risk and security infrastructure, seizing significant capability and technology improvement opportunities, getting into AI or supply chain risk management, ensuring compliance with new regs (NIS2, DORA ...), that sorta thing? 

Improving governance, for instance, may involve reviewing scopes, roles, responsibilities, accountabilities, missions/goals/objectives, reporting  and working relationships, insourcing/co-sourcing/outsourcing, priorities etcIt involves discussion, liaison, collaboration and agreement on the way forward, including the resourcing aspects. If groups, functions, departments or business units are to be merged, split out or otherwise reorganised at some point, their [remaining] budgets will have to be reallocated and adjusted accordingly.

These governance, resourcing, planning, prioritisation and other uncertainties involve or equate to information risks, which deserve to be recognised as such and treated appropriately by the business: does your risk register include any of this? Does it at least cover the most significant risk/s? If you are a CISO or part of the information risk and security management team, have you in fact analysed, evaluated and decided how to treat the risks relating to governance, strategies and resourcing in the area of information risk and security management?

As a reminder, your non-exclusive ASMA risk treatment options are to:

  1. Avoid the risks e.g. don't make any significant investments, technological or governance changes. This of course implies forgoing the associated benefits and projected net value, as well as reducing costs. Not doing various things, or doing them differently (e.g. delaying or constraining them) probably increases other risks (e.g. not being prepared and able to respond to imposed changes such as new laws and regs, or inability to support business changes), making this a tricky option to model and evaluate. 

  2. Share the risks. It could be argued that significant strategic decisions relating to information risk, security etc. are senior management's responsibility with implications for the C-suite as a whole and probably the Board of Directors, rather than the CISO and team. Notice, however, that this treatment involves sharing not transferring the risk or simply abdicating responsibility. Lower levels of management are naturally expected to inform and advise senior management competently and diligently. Furthermore, senior managers are mere mortals, prone to misunderstandings and mistakes like anyone - in which case, the organisation and especially the information security function will probably be expected to pick up the pieces.

  3. Mitigate the risks using controls such as reviewing or auditing budget proposals, project plans etc., taking account of pertinent metrics relating to past, past and future performance, and securing adequate reserves for contingency purposes. There are numerous administrative, financial and managerial controls for containing the risks relating to operational expenditure, departmental performance etc., but don't neglect other types of risk, such as those relating to inept strategic planning or execution, and complexity in general.

  4. Accept the risks: take your chances and anticipate incidents. This is the default option. Even if strenuous efforts are made with other risk treatments, some residual risks inevitably remain (e.g. as-yet unrecognised dependencies, vulnerabilities, threats and impacts, and perhaps control failures), with implications for incident and continuity management.
Circling back to the timescale issue, the risks and risk treatments are not limited to the financial year ahead. Taking a longer-term perspective suggests planning and investing in strategic or fundamental changes designed to get the organisation into better shape for the future. In the area of security architecture, for instance, this might involve rationalising the organisation's information security arrangements, deliberately focusing on designing, building, exploiting and maintaining a defined and managed suite of core security capabilities and controls, perhaps scaling back or outsourcing non-core aspects.

There are many other long-term/strategic improvement opportunities to consider investing in e.g.:
  • Objectives, goals, mission, vision - these are of course central to the strategy, but are they sound, accurate, complete, up-to-date, fit for purpose etc.? How well does information risk and security integrate with, support and enable the rest of the business? Are procedural updates justified to improve the sgtrategic information, decision-making and other aspects over the years ahead? If so, what needs to change, when and how?

  • People - not just within the information risk and security function but also other specialists, plus management and staff in general, hinting at security awareness, training and qualifications, corporate comms, culture, motivation, respect, rewards and more;

  • Tools and technologies, including whatever it takes to implement, use, maintain and exploit them to the max as opposed to being shelfware;

  • Capabilities - positioning the pot of people, products and procedures for productivity and purpose;

  • Maturity - particularly whatever aspects are currently holding things back in the sense of being missing, weak/ineffective, not entirely reliable etc., some of which probably reflect deep-rooted and longstanding issues;

  • Flexibility, resilience, responsiveness, proactivity e.g. supporting research and pilot studies in cutting-edge technologies, or substantially enhancing existing continuity approaches;

  • Relationships both internal and external, social and digital networking, collaboration and competition ...

  • Efficiency and/or effectiveness of the information risk and security arrangements, risk management, strategy formulation and implementation, change management etc.;

  • Definition, monitoring, use and value of risk and security metrics;

  • Information and knowledge management, data flows, applications, intellectual property etc., including the productive exploitation of risk, security and control-related information;

  • Savings, building up a war-chest for future investments or reserves in case of serious incidents;

  • Other: despite the length, this is not a comprehensive list ... which is itself a challenge. Does the organisation have a grip on all this?  Is management thinking sufficiently creatively and analytically?
A significant part of the strategic challenge is to align, support and perhaps drive the strategies in other areas of the business, and responding to external factors beyond management's control. In particular, improving the organisation's capability to cope with complex dynamics and unforseen risks could be seen as a long-term maturity objective, begging questions about what can and should be done in the year/s ahead to support that goal.

Congratulations if you've read this far. I appreciate I'm rambling through complicated and confusing stuff. It must be tempting to skim the gory details and simply focus on the immediate challenge of securing a nice fat security budget for 2025, in which case good luck with your not unreasonable starting point.

PS  If you simply don't have the luxury of being able to invest strategically in the foundations for information risk and security, ask yourself why that is. Don't just accept your situation for what it is: think creatively about tackling the constraints, and make a start on that in 2025. For instance, if the business really is financially strapped at the moment, what can be done to improve - and demonstrate - the cost-effectiveness and value of information risk and security? If lack of understanding and support from senior management is your key issue, what would it take to change perspectives and opinions? Incremental or evolutionary change is a pragmatic but slow approach: how about proposing something more radical, a shake-up, perhaps in conjunction with other departments? If your brain hurts, maybe it's time to stop head-banging the wall and try something else.