After seeing the names of other corporations dragged through the mud in headlines following a security breach, more than six out of 10 risk management professionals worry about damage to their own organization’s reputation, according to a new study.
Organizations are increasingly becoming aware of just how much they need to manage risk, according to a Ponemon Institute report sponsored by software vendor RiskVision. More than eight out of 10 say that risk management is either “significant” or “very significant” to them in a survey of 641 people working within risk management. Yet just 14 per cent are willing to describe their organization’s risk management processes as “effective,” which suggests they may be kept up at night worrying about reputational damage.
“We wanted to get more clarity,” says Joe Fantuzzi, president and CEO of RiskVision. “There’s been so much noise about ransomware and insider breaches, etc. But are those really what senior management are worried about from day to day?”
To some degree, it is. Just over half of organizations said they fear security breaches. The same amount said they feared business disruption as potential fallout from the lack of effective risk management. Though some industries are doing a better job than others at the practice.
RiskVision’s software helps its clients manage risk and those in the financial industry are already practiced in it because of legacy considerations like currency exchange rate fluctuations or loan interest calculations. The life sciences industry and technology industry are also more adept at it because of the value of the intellectual property they own., Fantuzzi says.
In some cases, risk management security is coming from the need for compliance – for example in the financial sector – while in others it’s coming from a competitive desire to protect unique assets. It’s also often driven by frontline workers and not done well implemented as a top-down directive.
“The first line of defence is where people who understand risk the most are coming from,” Fantuzzi says. “It’s not coming from the oversight committee, it’s coming from the day-to-day operational people.”
The retail industry has just started to perk up its ears about a mature approach to risk management, he says. Recent headline-grabbing security breaches at major brands like Target and Home Depot have very publicly demonstrated the fallout that’s possible when organizations are bearing more risk than they intended and something breaks as a result.
According to the Ponemon study, organizations face several common barriers in putting a proper risk management program in place:
- 44 per cent cite a lack of resources
- 44 per cent cite complexity of risk management
- 43 per cent say they just don’t know how to get started
As a result, the majority of organizations just aren’t doing some risk management basics. For example, almost seven out of 10 are failing to rate their assets based on criticality and 69 per cent don’t keep metrics on determining how effective they are at risk intelligence.
“It’s not just about having a process to manage risk, it’s about having analytics and using those to make intelligent decisions,” Fantuzzi says. “It allows you to make a decision about how much risk you want to have.”
Most risks are calculable and shared even across many industries, he adds. But how much risk a business wants to take on is unique and often based on what growth rate they want to achieve. There’s no right or wrong answer about how much risk a company should bear, the key is knowing that you want a risk factor of about 10 per cent, and being able to measure it to see if you’re actually running at 30 per cent risk. Having standard metrics across departments is also critical for this.
To address this problem, it’s common to have a vice-president of risk in some organizations, such as financial and healthcare. In that scenario, the person running the IT department isn’t responsible for finding and managing risk – just implementing the plan and reporting to the risk officer on that aspect.
In other companies, the chief information security officer manages risk where it’s related to IT, and the chief financial officer manages risk outside of the IT department.