One thing I miss about corp IT is participating in how information security politics evolve as regulations and the ecosystem advance. Ok, maybe I don't miss the politics. However I find the accountability structure fascinating because it speaks to the relative immaturity of IT security. Here's the backdrop: I recently returned from the CSO Perspectives conference and one of the themes from speakers was how CSO's need to integrate under Enterprise Risk Management (ERM). No real details, just a need to make sure you're under the umbrella. Second, as the GRC market races to the bottom on re-engineering compliance workflow, they seem to be turning their attention to ERM. Selling to the Chief Risk Officer, COO, CEO, who knows? Next, before wamu collapsed I saw a really interesting development on the horizon. ERM caught wind of our ability to measure and communicate risk. Some risks were "unacceptable" and actively being mitigated. ERM needed to be included in this process but what should their role be, who controlled the message to the Board of Directors (BoD), what if we disagreed? I started sketching the RACI and warmed up the back channel. For the record, I love the idea of ERM. However with great power, comes great responsibility (or is it accountability, contributor, informed :-).
Also, I recently heard an anecdote where an ERM-like function justified a large infosec initiative. Great you say. More visibility and funding for security? My take from this particular story was a dilution of the value a CSO brings and future confusion in the ranks. Does any of this conjure up ghosts of audit battles past...? Are you already cozy with ERM, just dating, or exchanging fleeting glances.
What role should ERM play in:
Of course I have my opinion and the answers will vary across industries. For kicks, I whipped up a hypothetical RACI with ERM in the infosec picture, or should I say infosec in the ERM picture.
RACI with ERM
ERM is simply another player concerned about IT security and their job is to manage overall business risk. ERM may become your biggest ally. They'll also behave like everyone else: justify their existence, manage their success, and help the business make money. This conjures up one of my favorite axioms, if you don't lead and carve out your role, someone else will. The game is getting more interesting and the best course is to shore up your infosec processes - especially IT security risk management.
A new dog
My challenge with audit past was the need to reinforce roles for who defined acceptable risk, mitigation design, and time lines. ERM is a different beast. There's a chance their overall viewpoint may strengthen the relative priority of infosec risk, identify dependencies, and give infosec a greater voice in the business. I can imagine this nirvana with good leadership in both the infosec and ERM camps. In the absence of strong leadership, I suggest falling back to clear process definitions (and sometimes clear spirits).
Another interesting change is the escalation point. In a world where infosec wasn't on ERM's heat map, infosec escalation usually peaked at the CSO's boss. Assuming the Chief Risk Officer reports to the CEO, we now have a new tie breaker. Hopefully your last golf trip with the CEO went well, or at least the CEO is fully bought into the program because you've been socializing your security strategy. Since my experience with ERM is limited, I don't have a lot to add except highlight another example where process definition may make everyone's job a lot easier and ultimately more money. I have more under-the-covers ERM stories but I'll save them for another day if there's interest.