Tips for Understanding Your Organization’s Risk Culture
“Culture eats strategy for breakfast.” These words, attributed to the late management consultant Peter Drucker, are often used to describe organizations that fail despite having a great strategy, the best trained staff or abundant revenue. But what is culture and how does it impact risk management in an organization?
Risk culture, as defined by the Institute of International Finance, is the norms and traditions of individuals and groups within an organization that determine the way in which they identify, understand, discuss and act on the risk the organization confronts and takes. In the nearly 30 years since the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) published its 1987 Report of the National Commission on Fraudulent Financial Reporting, there have been numerous examples of organizations that have ignored the counsel of their auditors and attorneys and proceeded to engage in risky and sometimes unlawful behaviors.
Here are some considerations for understanding how risk culture impacts all decisions in an enterprise, but most especially the human-centered decisions that may unnecessarily increase exposure to risk factors that have the ability to negatively impact the organization:
- Leadership to set direction and ethical standards—The organization’s mission, values, vision and purpose should be clearly defined and communicated. There should be an organizational roadmap that connects the work done in the enterprise to the higher-order value chain of the organization. Each person in the organization should know that the work they do supports the greater whole and should be constantly on the lookout for risk that would prevent objectives from being achieved. People should feel safe to speak up when something is wrong without fear of reprisal. If there is no proactive identification of risk, noncompliance with policy has no consequences or if excessive risk taking is financially rewarded, then risk management is not aligned with corporate ethics.
- Sponsorship to provide support and resources—Senior leaders should put their money where their mouth is when it comes to funding and resourcing risk management activities. This does not mean no hard questions should be asked or there is no need to justify expenditures; it just means that there is demonstrable funding and resources for activities to manage the most significant risk to the organizational strategies and objectives. If your organization places primary funding on compliance and audit activities, then it is not prioritizing risk management as an organizational competence. Even in enterprises in which there are many of the components of security—staff, software, hardware, procedures, policies and standards—without a culture to bind them to the overall corporate values, the best that can be hoped for is mechanistic compliance with the routine requirements of protecting information.
- Governance and oversight to ensure the process is achieving its goals as expected—The inclusion of risk management as a focus area of the broader governance activities is necessary to align the stated mission, vision, values and actions of the enterprise with the management activities needed to ensure those objectives are met. The responsibility of effective governance is to align risk behaviors with the organization’s risk appetite and tolerance. If the board or other senior leadership governance is only receiving information on risk factors from the audit committee, then there is a lack of knowledge about the difference in roles between risk management and audit. Each area of focus, risk management and audit has a role to play in the organization, but senior leaders cannot expect to understand the totality of the risk that the enterprise faces with only internal control and compliance-related reporting. To gain a thorough understanding of the organization’s risk, the board needs to interact with the business units or frontline managers who are managing risk on a day-to-day basis and not just rely on the chief financial officer or chief executive officer to report on risk factors.
Just having an enterprise risk management (ERM) function alone cannot change the culture of an organization without leadership, sponsorship and support from upper management. The ISACA publication Creating a Culture of Security extends the thought leadership around culture as related to information security and the publication COBIT 5 for Risk has extensive descriptions of how cultural aspects such as communication, rules, incentives, rewards and raising awareness can influence risk behaviors.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.
Impact of US Cybersecurity Information Sharing Act
With the growing importance of cybersecurity, the US Congress has passed the Cybersecurity Act of 2015. It provides a framework that promotes information sharing between government entities and private-sector organizations. The Act took effect upon passage on 18 December 2015 and will remain in effect through 30 September 2025. The Cybersecurity Nexus (CSX) special report U.S. Enacts Cybersecurity Information Sharing Legislation provides detail on the specifics of the legislation as well as the provisions, policies and procedures resulting from it.
The main objective of the legislation is to promote information sharing so that knowledge about a threat found on one system can be shared quickly with the federal government and other organizations, which may help prevent the threat resulting in an incident at other enterprises and help mitigation efforts. While sharing information is completely voluntary, companies that follow the framework will receive legal liability safeguards.
In addition to information sharing, the Cybersecurity Act of 2015 mandates reports on the cybersecurity vulnerabilities of US ports and mobile device security of the federal government. The Homeland Security Act of 2002 was amended to be consistent with new Cybersecurity Act of 2015 to promote the advancement of cybersecurity. The Cybersecurity Act also requires an assessment of the US cybersecurity workforce. The CSX special report discusses the Cybersecurity Act and how it addresses today’s cybersecurity concerns.
Read the U.S. Enacts Cybersecurity Information Sharing Legislation special report on the ISACA web site.
Preparing for a Breach Investigation
While no organization wants to be the target of a security breach, it is important that organizations know how to react in the event of an incident. To help organizations learn how to prepare for breach investigations, ISACA has partnered with Savvius to present the Preparations Required in 2016 for Effective Breach Investigations webinar. This webinar will take place on 14 January at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.
Larry Zulch, president at Savvius, and Keatron Evans, partner at Blink Digital Security, will lead this webinar. They will discuss strategies for using network packets to enhance security investigations. To make investigations easier, Zulch and Evans will also discuss long-term network packet storage strategies and how to make network packets available for breach investigations.
To learn more about this webinar or to register for it, visit the Preparations Required in 2016 for Effective Breach Investigations page of the ISACA web site.
Unlock the Potential of Mentoring at ISACA Webinar
Finding a mentor can be a valuable method to be competitive in the workplace. Because those who receive mentoring are more likely to find well-suited opportunities and progress faster, ISACA will present the Mentoring: A Critical Input and Output For Fast-Tracking Your Career webinar. This webinar will take place on 20 January at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.
Caitlin McGaw, president of Candor McGaw, Inc., will lead this webinar. McGaw will share the practical knowledge needed to find mentors, to be a successful mentee and to become a mentor to others. McGaw will discuss the characteristics of a sound mentoring relationship and the process of finding a mentor in an organization that may not have a formal mentoring process.
To learn more about this webinar or to register for it, visit the Mentoring: A Critical Input and Output For Fast-Tracking Your Career page of the ISACA web site.
ISACA CEO Visits China to Discuss Future Plans
ISACA’s chief executive officer (CEO) Matt Loeb, CGEIT, CAE, visited China in November to better understand the information security environment there and the unique concerns of the country. Loeb met with information security leaders in various industries, including government, academia and training.
Loeb also met with ISACA members and certification holders to learn more about the resources ISACA can provide to support the needs of China’s rapidly developing economy. At an appreciation dinner for 25 ISACA members and certification holders, Loeb shared the progress ISACA has made, new initiatives that ISACA will undertake and plans for development in China. Dinner attendees also had the opportunity to discuss their concerns, challenges and expectations with the ISACA CEO.
To learn more about the ISACA China Hong Kong Chapter, visit the China Hong Kong Chapter website.
Book Review: Cybersecurity for Executives: A Practical Guide
Computers were initially valued for their processing capacity, being the only devices available with this skill. But now, the ability to connect to other computers and devices and to the Internet is one of the computers’ most valued traits. However, this trait brings new cybersecurity challenges. Compromised data, network outages, malicious code and other incidents regularly affect information and systems and could even be life-threatening. Data processed, stored and transmitted through networks and the Internet need to be protected.
Cybersecurity for Executives: A Practical Guide helps executives from all business sectors better understand the nature and extent of cybersecurity. The book has 10 chapters. It begins by introducing cybersecurity as a relatively new discipline with no agreed-upon spelling of the term or single definition. The next chapters present cybersecurity as a business need and describe it in terms of risk. The book outlines how to incorporate cybersecurity into the organization strategy, how to train personnel and create an effective team, and the importance of considering cybersecurity.
Chapter 9, titled “What To Do When You Get Hacked, ” describes, in plain language, how to prepare for an attack and what to do when it happens, including the importance of managing public relations and legal issues. The book concludes with an original cybersecurity-related scenario, written as a script and simulating a series of board meetings addressing the topic of cybersecurity.
The expertise of the authors of Cybersecurity for Executives has allowed them to introduce cybersecurity in a practical manner, even though it is a complex subject. The book is easy to read and full of real-life cases and examples that make it enjoyable reading.
The authors of this book state, “If it is connected to the Internet, your system is exposed to countless risks….make cybersecurity part or your daily practices.” For those who are IT professionals, executives in any industry at any corporate level, board members, or those with managerial responsibilities, this book is a must read.
Cybersecurity for Executives: A Practical Guide is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email firstname.lastname@example.org.
Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology in the Argentine government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the past president of the ISACA Buenos Aires (Argentina) Chapter.