The Dose Makes the Poison
How much cyberrisk is enough? How much is not enough? These are the questions that many boards of directors are considering as they begin questioning their organizations for clarity to develop an understanding of their cyberrisk posture. Furthermore, many organizations are struggling to understand at which level their risk appetite should be set. In absence of quantitative guidance, many choose a qualitative statement that reeks of equivocation: “We do not accept any cyberrisk and will comply with all applicable regulations.”
I have been reflecting lately on the old adage in toxicology credited to Paracelsus in the 16th century, which states, “All things are poison and nothing is without poison; only the dose makes a thing not a poison.” This principle serves as the basis for public health standards, which allows for contamination in food so long as it does not exceed certain thresholds. It is the reason the US Food and Drug Administration (FDA) maintains threshold levels of (in their words): “objectionable matter contributed by insects, rodents, and birds; decomposed material; and miscellaneous matter such as sand, soil, glass, rust, or other foreign substances.”
You see, complete eradication of these things would be economically infeasible and wholly unnecessary: We cannot taste it, and it does us no harm. Creating food to such standards would require clean rooms rivaling those used by Intel in fabricating silicon chips or hospital operating rooms (which, incidentally, also have nonzero quantities of contaminants). Nothing is without cost, and processing food at such levels would inevitably result in some children going hungry or suffering malnourishment for lack of affordable food. Indeed, if you have ever had the chance to pick raw fruits and vegetables, you are aware that even in its natural state, food can be pretty dirty.
Would food processing companies have a risk appetite statement indicating zero contaminants? To have that kind of policy would necessarily drive lots of governance into the organization. There would need to be significant funding to purchase equipment and employ staff to implement processes to accomplish that. I do not think they confuse the goal of zero contaminants with a risk appetite statement indicating such an expectation.
Are we asking organizations to do the same? Are we adopting zero-tolerance cyberrisk appetite policies with the intent of funding them at that level? And do customers really want products that have zero risk? (Imagine a typical checking account with the amount of controls necessary to have zero risk.) As risk professionals, we need to lead the way on having mature conversations about appetite, and that includes acknowledging that zero risk is an excessively ambitious goal. Doing so would cause companies to significantly misallocate resources when the truth is that a little bit of dirt is OK.
Jack Freund, Ph.D., CISA, CISM, CRISC, is senior manager of cyberrisk and controls for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, and 2016 inductee into the Cybersecurity Canon.
Leveraging Next-generation GRC
The role of governance, risk and compliance (GRC) is becoming increasingly important, and processes and solutions are becoming more automated. To help enterprises meet the strict GRC practices expected of them, ISACA and RSA have partnered to present the “Next-Gen GRC: Building a Road to GRC Maturity” webinar. This webinar will take place on 16 June at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.
GRC solutions are capable of connecting disparate risk disciplines to help organizations better identify, assess, manage, mitigate, monitor and report on risk. To learn how to move to these next-generation GRC solutions, a panel of 3 experts in the field of security and strategic planning will share their insights on how to leverage the latest GRC resources. They will discuss where to begin, the essential components of a GRC program, risk management practices, GRC challenges and supporting technologies.
To learn more about this webinar or to register for it, visit the Next-Gen GRC: Building a Road to GRC Maturity page of the ISACA web site.
Defining a Future Direction for the IS Audit Profession
There have been many changes in the IS audit profession since the EDP Auditors Association, now ISACA, was formed in 1969 and the first Certified Information Systems Auditor (CISA) certification was awarded by ISACA in 1978. Changes in how organizations structure responsibilities are caused by new ways of doing business as a result of new and emerging technologies. We can expect that these emerging technologies and changes in organization structures and roles and responsibilities will necessitate IS audit’s evolution as well. To shed light on that topic, ISACA is conducting a research project on what forces will most impact the IS audit profession, how they will affect what auditors do, what tools auditors will need and how they will operate in the future.
If you are an IS auditor at any level or have insight that would be useful in this project, you are invited to join the IS Audit Future Directions working group. To learn more about this working group or to volunteer for it, visit the Volunteer Opportunities page of the ISACA web site.
COBIT 5 for Business Benefits Realization
As benefits realization is one of the 3 objectives COBIT 5 defines for value creation—the overall goal for enterprise governance—each of the 5 COBIT 5 principles can be directly interpreted in the business benefits realization (BBR) context.
- Stakeholder Goals—These are those enterprise goals that COBIT 5 defines as having a primary relation to the benefits realization objective, such as:
- Stakeholder value of business investments
- Portfolio of competitive products and services
- Financial transparency
- Customer-oriented service culture
- Agile responses to a changing business environment
- Information-based strategic decision making
- Optimization of service delivery costs
- Optimization of business process functionality
- Optimization of business process costs
- Management of business change programs
- Operational and staff productivity
- Product and business innovation culture
- Covering the Enterprise End-to-end—This principle underlies the perspective that benefits realization means encompassing all of the business of the enterprise. It is further reinforced in COBIT 5 by the identification of 7 wide-ranging enablers that cover many conceivable dimensions of enterprise governance and management.
- Applying a Single Integrated Framework—While there are many IT-related standards and best practices, each providing guidance on a subset of IT-related activities, COBIT 5 is itself complete in enterprise coverage, providing a basis to integrate other frameworks, standards and practices. As a single overarching framework, it serves as a consistent and integrated source of guidance in a nontechnical, technology-agnostic common language. COBIT 5 aligns with other relevant standards and frameworks, and thus allows the enterprise to use it as the highest-level governance and management framework for enterprise IT, and to extract the necessary aspects for particular attention, as in the case of BBR. This is seen in the practical guidance provided by the COBIT 5 enablers.
- Enabling a Holistic Approach—COBIT 5’s 7 enablers are factors that, individually and collectively, influence whether something will work. They are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve. Enablers need to be considered in an interconnected context for the effective governance and management of IT for an enterprise—hence, for BBR.
- Separating Governance from Management—This COBIT 5 principle makes a clear distinction between governance and management. Each encompasses different types of activities, requires different organizational structures and serves different purposes. The delineation between governance and management of BBR is best seen through the applicable processes for each dimension. Using a process perspective for BBR, COBIT 5 defines governance through the EDM02 (Ensure benefits delivery) process, while management is done through 6 primary processes and 2 secondary processes.
For more information on this topic, read COBIT 5 for Business Benefits Realization, which is available from the ISACA Bookstore. Please visit www.isaca.org/bookstore, email firstname.lastname@example.org or telephone +1.847.660.5650.