Believe me, I know how hard it is to get funding to strengthen your information risk management program. Ask pretty much any CEO to find the time to talk about risk management (much less formalize a risk management program) and you’re likely to get an eye roll.
Less than half (45%) of the 103 U.S. CEOs surveyed by PwC in 2015 are “extremely concerned” over cyber threats (including lack of data security) even while they are investing more and more in technology to ensure better business performance.
Their investment interests are in innovating and accelerating the impact of technology for their customers, not so much in protecting the data itself.
Your compliance and security teams may be approaching you, as the CFO, to be their advocate in obtaining the funds needed to set up or strengthen your information security or compliance programs. CFOs have historically been risk-averse by nature, focusing on protection of the business and the bottom line. But in the world we are now facing, CFOs will be expected to bring innovative ideas to the table to help their companies remain competitive.
How can a CFO balance the risk/reward equation in a manner that will make a CEO take interest in risk management decisions? You have to bring the facts into focus. Information risk management involves eight steps, none of which are quick or easy, especially the first time they’re taken.
- The first step is to identify all the assets that contain or transmit the information you are trying to protect. It may be PII (personal identification information), PHI (protected health information), PCI (payment card information), or any other proprietary or sensitive information important to the business. Those information assets include not only applications but the “media” that contains those applications, such as servers, back-up tapes, desk tops, laptops, and thumb drives.
- This step requires the identification of threats to those assets. There are typically four categories for threats: environmental (floods, lightning, fires), structural (infrastructure or software failure), accidental (uninformed or careless users), and adversarial (hackers, malicious insiders).
- The next step is to identify the vulnerabilities of those assets. For example, no data backup, no encryption, weak passwords, no remote wipe, no surge protection, no training, no access management, no firewalls, no business continuity plans.
If you don’t have all three things – assets, threats and vulnerabilities – then there is no risk to your information. Making informed decisions on risk treatment involves listing all combinations of assets, threats to those assets, and the vulnerabilities that may be exploited. Once that inventory is complete, the hard work begins:
- Now you must determine the likelihood of each threat exploiting every vulnerability. What makes this step particularly hard (in addition to the volume) is the lack of specific data to support a calculable percentage of likelihood. Some organizations use a simple high/medium/low ranking. But there are many metrics for assessing likelihood, including industry breach statistics, data-type breach statistics, data loss statistics by cause, industry complaint statistics, the breach and/or complaint history of your own organization, and the details of any security or privacy incidents.
- This step is about determining the impact on your organization if that bad thing happens. There are many methods for determining the impact, the easiest being the $200 per breached record as annually determined by the Ponemon Research Institute, or calculating the cost more specifically for your organization using the free Excel model on the ANSI website which provides values for a variety of cost variables involved in a breach. Basically the costs include: remediation (the cost of the control/safeguard that should have been put in before the breach) plus mitigation, remuneration, legal costs, fines or penalties, business distraction, and reputational costs.
- At this point, you generate a risk-rating list, with high likelihood/high impact risks at the top, low likelihood/low impact risks at the bottom, and everything else in between.
- You must then find solutions and determine costs for all risks that have scored above the organization’s risk tolerance line.
- The final step is one in which you reach a decision on the risk treatment. Let’s take, for example, lost or stolen laptops as the risk, which represents about 20% of the health-care breaches listed on the Health and Human Services websites. An unencrypted laptop used in the field could be considered high risk, depending on what safeguards (other than encryption) are in place. The risk can be accepted, transferred (for example, outsourced to clinician group firms), avoided (no more laptops in the field), or mitigated (extra-strong passwords, remote wipe, tracking software, and so on).
As CFO, you know the risk appetite of the C-suite and the limitations of the budgets. Make sure the investments being recommended are in line with your organization’s strategy and operational needs. It’s important to either establish or strengthen an internal risk management governance council to guide decision-making.
The eight steps outlined here are rigorous, but that’s only the beginning. Your organization has to constantly reevaluate the many risks it faces. It takes time, energy and commitment – but that ongoing vigilance has its rewards: helping you avoid the staggering costs and reputational damage stemming from a data breach.
Mary A. Chaput is CFO of Clearwater Compliance in Nashville, Tennessee.