To become a risk

management function,
information security
organizations need
improved capabilities
and a change in mind-set.

Capabilities for Information Risk Management

A RISK MANAGEMENT TOOLKIT

Competencies for the Transition from Information Security to Information Risk Management
Partial Lists

True Risk Management

Creating a holistic, forwardlooking view of risk

Defining, supporting, and
socializing decision rights
Understanding and aligning to
the businesss risk appetite

Risk Reduction

Ensuring compliance
Creating information security policies
Evaluating controls based on risk and benefit

Security Operations

Patching
Protecting the network perimeter

New Capabilities

Information Risk Executive Council

Information Technology PRACTICE
www.irec.executiveboard.com
IREC0739611SYN

Obtaining a concrete understanding of business

partners risk appetite to ensure appropriate decision
making

New Mind-set

Providing risk information risk owners can actually use

to make good decisions
Clarifying risk ownership and responsibilities

Being prepared to adjust risk appetite (probably up) to

match that of risk owners
Approaching technology and business changes as
activities to enable rather than potential risks to be
prevented
Transferring risk decision-making responsibility
to true risk owners

The Council analyzed

members risk
management outcomes
and identified two
indices that represent
the elements of true
risk management
effectiveness.

DEFINING RISK MANAGEMENT EFFECTIVENESS

Risk Management Effectiveness
Council Definition of Desired Outcomes

Risk Management
Effectiveness

The Council surveyed

CISOs about their ability
to achieve 18 individual risk
management outcomes.
Using factor analysis, these
outcomes were combined
into Indices aligned to risk
management goals.
Details of the construction
of the Indices are in the
Appendix on p. 105.

Risk
Understanding
Index
Ability to identify
risks, assess
vulnerabilities, and
make informed
investment
prioritization
decisions

Business Partner
Engagement
Index
Business partners
ability to understand
risk information,
independently
manage risks, and
incorporate risk
information into
business decisions

Information Risk Executive Council

Information Technology PRACTICE
www.irec.executiveboard.com
IREC0739611SYN

Introduction: Transforming Information Security into a True Risk Management Function

The Councils research

model sought to
understand what drives
risk management
effectiveness.

Capabilities for Information Risk Management

ANALYZING DRIVERS OF RISK MANAGEMENT

EFFECTIVENESS
Drivers of Risk Management Effectiveness
Illustrative

Potential drivers include

activities such as risk
assessments of third
parties or new projects.
Attributes of activities such
as process standardization
are considered potential
drivers.

117 Potential Drivers

36 Activities

81 Attributes of Activities

Significant drivers
are organized into
three capabilities.

Capability III: Understanding and Aligning to the

Businesss Risk Appetite

The significant drivers are

organized into three broad
capabilities.

Regression
Testing
Against
Outcome
Indices

For a full list of list of tested

drivers, see pp. 108117.

45 Significant Drivers

16 Activities

29 Attributes of Activities

Capability II: Defining, Supporting,

and Socializing Decision Rights
Capability I: Creating a Holistic, Forward-Looking
View of Risk

1.1

Assess new projects (% annually)

1.2

Assess business workflows (% annually)

1.2.1 Standardization of business workflow risk

assessments

1.2.2 Automation of business workflow risk

assessments

1.2.3 Triage of business workflow risk assessments

1.3

Assess business units (% annually)

Each capability is
composed of activities.

Information Risk Executive Council

Information Technology PRACTICE
www.irec.executiveboard.com
IREC0739611SYN

Activities have
different attributes.

ASSESSING DRIVERS OF RISK MANAGEMENT EFFECTIVENESS

1. Deploy Survey

Risk Management Effectiveness Diagnostic

(n = 67.)
CISOs surveyed on risk management drivers
and outcomes

2. Assess Drivers of Effectiveness

3. Translate Findings into Practical

Guidance

Outcome indices created through factor

analysis
Regression analysis used to determine
how drivers affect outcomes

Outcomes
Risk Understanding Index

Business Partner Engagement Index

Sample Drivers1
Activities

1.1 Assess new projects (% annually)

1.2 Assess business workflows (% annually)

1.3 Assess business units (% annually)

Attributes

1.2.1 Standardization of business workflow risk

assessments

Distill the practical implications of the

data.
Provide real-world illustration of key
insights via practitioner tools and tactics.

Illustrative Driver: 2.2 Define Decision

Rights Clearly
Average Outcome, Indexed

High

= 36%

Outcome Index

136

(Benefit)

100

Low
Low

High
Driver

1.2.2 Automation of business workflow risk

assessments
1.2.3 Triage of business workflow risk
assessments

Decision
Rights Not
Defined

Clear Decision
Rights and
Tracking

For full list of tested drivers, see the Appendix on pp. 108117.

Information Risk Executive Council

Information Technology PRACTICE
www.irec.executiveboard.com
IREC0739611SYN

MANY LEVERS TO PULL

Benet to Risk Management Effectiveness1
All Drivers
Activities

Driver Has No Statistically

Signicant Benet.

Attributes

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

1.6.2 New Risk Identification: Output Actionability

1.8 Track and Analyze More Than 10 Types of Data
1.6 Implement Formal Processes for Identifying Emerging Risks

71%
70%
69%

1.20.1 Aggregation of Risk Assessment Results

1.21.1 Centralization of Data
1.6.3 New Risk Identification: Incorporation of External Perspectives

61%
60%
56%
54%

1.2.1 Standardization of Business Workflow Risk Assessments

1.2.2 Automation of Business Workflow Risk Assessments
1.21.2 Standardization of Testing of Control Effectiveness
1.21.3 Automation of Testing of Control Effectiveness

44%
44%

1.1 Assess New Projects (% Annually)

1.2 Assess Business Workflows (% Annually)

36%
29%
26%
26%
24%
24%
22%
20%

1.9 Conduct Penetration Tests

1.10 Track End-User Awareness Data
1.11 Analyze Tickets/Patch Data
1.3 Assess Business Units (% Annually)

I. Creating
a Holistic,
ForwardLooking
View of Risk

0.9

94%
90%
84%
78%

1.6.1 Standardization of New Risk Identification Processes

1.12 Conduct Independent Reviews

1.3.1 Triage of Business Unit Risk Assessments
1.2.3 Triage of Business Workflow Risk Assessments
1.13 Gather Subject Matter Expertise on Emerging Threats
1.5 Assess Major IT Systems (% Annually) 0%
*
1.4 Conduct Data-Focused Assessments (% Annually) 0%
*
1.1.11.1.4 New Projects Assessment Selection Method 0%
*
1.2.41.2.6 Business Workflow Assessment Selection Method 0%
*
1.3.21.3.4 Business Unit Assessment Selection Method 0%
*
1.4.11.4.4 Data-Focused Assessment Selection Method 0%
*
1.5.11.5.4 Major IT Systems Assessment Selection Method 0%
*
1.14 Track Vulnerability Data 0%
*
1.15 Conduct Virus Scans 0%
*
1.16 Track Incident Reports 0%
*
1.17 Analyze Near Miss Incident Data 0%
*
1.18 Track External Threat Feeds 0%
*
1.19 Maintain Comprehensive Asset Inventory 0%
*
1.20.2 Length of Risk Assessment (Number of Questions) 0%
*

Drivers

1.20.3 Usage of an Off-the-Shelf Risk Assessment Framework (e.g., OCTAVE, FAIR) 0%

*

77%
72%
70%
70%

2.7.1 Standardization of Information Risk Report Generation

2.1.1 Standardization of Remediation of Control Gaps
2.7.2 Maintenance of Business Process Maps
2.7.3 Automation of Information Risk Report Generation

59%
59%
58%
57%
52%
45%
43%
42%
41%
36%
35%

2.1.2 Standardization of Communication of Remediation Plans

2.1.3 Automation of Remediation of Control Gaps
2.7.4 Level of Security Analysts' Understanding of the Business

II. Dening,
Socializing, and
Supporting Decision
Rights

2.1.4 Automation of Communication of Remediation Plans

2.6.1 Standardization of Risk Acceptance Processes
2.6.2 Automation of Risk Acceptance Processes
2.1 Select Remediation Measures Based on Defined Rules
2.3 Report Risk to Senior Leadership More Than Once per Year
2.4 Train Business Partners on Risk
2.2 Define Decision Rights Clearly
2.7.5 Standardized Channels for Risk Communication

67%

3.1.1 Standardization of Risk Appetite Determination

48%

3.1 Use a Formal Statement of Risk Appetite to Guide Decisions

41%
34%

3.1.2 Risk Appetite Determination Through Formal Discussions with Business Partners
III. Understanding
and Aligning to
the Businesss Risk
Appetite

3.2 Integrate Risk Silos (e.g., ERM)

3.1.3 Risk Appetite Determination Through Informal Consideration of Past Risk Decisions 0%
*
3.1.4 Risk Appetite Determination Through Formal Tracking of Past Risk Decisions 0%
*
3.1.5 Risk Appetite Determination Through Informal Discussions with Business Partners 0%
*
3.1.6 Risk Appetite Determination Through Interpretation of Public Statements 0%
*
3.3.1 Use of a "GRC Tool" to Collect Information from Stakeholders 0%
*

45%
41%
40%
35%
30%

4.1 Centralize the Security Function

4.4.3 Integration of Risk and Compliance Reporting
4.4.1 Integration of Risk and Compliance Controls Implementation and Management
4.2 Hire Trained, Experienced Security Analysts
4.4.2 Integration of Risk and Compliance Controls Assessments
Other Drivers

4.3 Hire Analysts with an Information Security Certification (CISSP, CISM, etc.) 0%
*
4.4.4 Security Framework Usage: ISO 0%
*
4.4.5 Security Framework Usage: COBIT 0%
*
4.4.6 Security Framework Usage: ITIL 0%
*
4.4.7 Security Framework Usage: NIST 0%
*
4.4.8 Security Framework Usage: Other 0%
*
4.4.9 Security Framework Usage: None 0%
*
0%

50%
Benet

100%

n = 67.
1

The benet of each driver is measured against the most relevant of the two outcome indices, either Risk Understanding or Business Partner Engagement (see p. 7).

Source: IREC Risk Management Effectiveness Diagnostic, 2011.

INFORMATION RISK EXECUTIVE COUNCIL
INFORMATION TECHNOLOGY PRACTICE
www.irec.executiveboard.com
IREC0739611SYN

Introduction: Transforming Information Security into a True Risk Management Function

11