Introducing an Automated Approach to Risk Management

May 26, 2021

  • It’s difficult to track ownership of risk issues and measure progress or modifications to the environment. Combine these factors and it significantly increases the difficulty of understanding risk in relation to business requirements.
  • The inability to effectively understand, assess, align, track and resolve audit and compliance issues drives the need for automation.
  • Risk automation allows you to provide business-based context and validation to the technical activities and controls provided by both IT and cybersecurity.

 

Too often, cyber risk programs are focused on technology controls with a slant toward information technology infrastructure library (ITIL) principles. ITIL is a widely accepted IT management framework used in many organizations to help them provide structure and guidance in their day-to-day operations.

 

We generally see risk assessed in terms of operational risk, with a guesstimate or low/medium/high rating based on the degradation of system performance. Rarely do we see any reference or alignment of those systems with the business processes they support. Classification/prioritization of specific systems and applications should be based on the criticality of those systems and applications to business processes.

 

When risk is discussed in IT, the focus is usually on audit activities, remediation and compensating controls. These efforts tend to be up-down/on-off and generally don't take a granular view of the business impact; audit management and remediation can be a constant churn of action with no real way to assess progress or the impact of changes until the next audit. It’s difficult to track ownership of issues and measure progress or modifications to the environment. Combine these factors and it significantly increases the difficulty of understanding risk in relation to business requirements.

 

Compliance management also proves challenging and is generally treated the same as internal and external audits. The key difference between compliance requirements and audit processes is the business alignment aspects of compliance. The drivers for achieving and ultimately maintaining compliance across PCI, HIPAA and other standards are business-affecting activities and must be handled accordingly.

 

The lack of compliance management often leads to the inefficient use of resources to maintain the program. Frequently, weak planning and oversight causes a ripple effect throughout an organization, requiring heroic remediation efforts and harming other projects that need to be put on hold while remediation is performed.

 

The inability to effectively understand, assess, align, track and resolve audit and compliance issues drives the need for automation.

 

 

What is Risk Automation?

Risk automation is the process of leveraging governance, risk and compliance (GRC) or enterprise risk management (ERM) tools and technologies to manage risk programmatically and is most necessary for organizations reliant on compliance requirements such as HIPAA, CMMC or PCI.

 

Risk automation can help you resolve risk management and compliance issues while fostering better business alignment and critical process maturity across:

 

  • Compliance management
  • Governance management
  • Configuration and change management
  • Disaster recovery
  • Third-party and supply chain risk
  • Enterprise risk management
  • Findings management and remediation

 

Automation allows for the efficient management of control testing and validation, reporting and real-time risk exposure reporting via integration with SIEM technologies, vulnerability scanning and management tools and external threat feeds.

 

Technology and security operations; third-party management; supply chain risk; IT and business resilience risks; and compliance and governance risks can be managed and reported in a single platform.

 

 

Becoming Risk-Aware and Business-Aligned

The most effective cyber risk programs generally have two things in common: a culture that is risk-aware and alignment with business goals and objectives. Understanding and managing key risk principles, coupled with business alignment, provides organizations with the ability to clearly understand where controls need to be implemented and to what extent.

 

Using risk automation, you can leverage operational metrics, threat intelligence, compliance requirements, governance controls and other information to articulate the risk associated with a specific business process. You can then make an informed recommendation to leadership on the depth and breadth of controls required to protect those processes. Risk automation allows you to provide business-based context and validation to the technical activities and controls provided by both IT and cybersecurity.

 

 

Framework Alignment

Most organizations work to align to a specific framework, such as NIST or ISO, to provide direction and guidance to their cyber risk management program. Alignment to a framework, and the management and monitoring of controls, is easily achieved by leveraging GRC/ERM management tools. Risk automation platforms allow you to test once and comply with many. Given the ever-expanding need to provide information around your program to third-party partners and to validate compliance requirements, risk automation makes it possible to easily map controls from one framework to another.

 

 

Simplified Compliance

Effective reporting and monitoring of compliance requirements is also easily achieved by leveraging a risk automation program. These processes allow you to align your framework or cyber risk governance initiatives with your compliance requirements, such as PCI/HIPAA and various privacy codes, to ensure that you are managing them efficiently and effectively.

 

Compliance is a business enabler. Partners value the security provided by working with organizations that actively maintain and support compliance standards. Risk automation can help you quickly and thoroughly demonstrate that you’re in compliance with relevant requirements. Response timeliness can be a differentiator in the selection process and reduce the stress and effort required to pull information together.

 

With an automated process, you can track compliance requirements and readiness in real-time, helping you effectively plan, achieve or maintain current compliance requirements. You can also define the impact of compliance on the business to ensure focus on these processes or programs is addressed to support the company’s success.

 

 

Third-Party Risk Management

Organizations that rely heavily on or provide third-party services also benefit from an automated programmatic approach. The efficiencies gained in providing and responding to third-party attestation requests or responses can reduce the overhead of managing these risks. The data can also communicate risk associated with doing business with these partners so controls can be adjusted accordingly. The importance of understanding the impact of third-party relationships will continue to grow as companies focus more on their key objectives and outsource less critical tasks. The recent changes to CMMC/DFARS will also require additional attestation and testing to maintain current relationships with, and participation in, future DoD opportunities.

 

 

GRC and ERM Tools Selection

Risk automation can be facilitated by many of the GRC and ERM tools on the market today. The selection of the proper tool to support your program should focus on which product best supports your risk objectives. Having a mature risk program already in place will provide you with the quickest return on your GRC or ERM tool investment by automating testing and validation processes along with providing routine and standard reporting. The lack of maturity in your risk program will require you to make an educated guess on what your program will need, and in some cases the tool selected may limit some capabilities.

 

Most tools provide their products in a SaaS or PaaS environment. This reduces day-to-day care and feeding demands but frequently leads to limited customization and lack of version control. On-premise products are available for some of the major products and can be deployed in your environment.

 

 

Seeking Program Maturity

Risk automation aligns IT and cyber risk initiatives with key business concerns and allows you to focus on what’s important to the business. Organizations looking to take their risk and cyber security programs to a more business-aligned, meaningful level should consider risk automation technologies and services to further maturity. Risk automation provides the ability to deliver business-aligned metrics around remediation efforts, current risk exposure, risk acceptance processes, risk and issue ownership and overall business risk impact.

 

Risk automation, aligned with other tenets of risk management and processes, such as ITIL configuration management database (CMDB), allows you to reduce the scope of your efforts to ensure you are protecting what needs to be protected efficiently and effectively. Risk automation equips you to track, manage and report on these efforts to validate that the cost of the technology and controls are in line with risk and compliance needs.

 

Optiv's risk automation program leverages best-in-class GRC tools to automate and monitor risk within your environment, enabling you to repeatedly define, assign, track and resolve audit and compliance issues to achieve IT and cyber risk reduction. If you have questions or would like to speak with an expert, drop us a line.

Jim Bundy
Practice Director, Risk Management and Transformation | Optiv
Jim Bundy brings more than 25 years of Information Security and IT experience to his current position. He works closely with clients in the strategic integration of risk management, information security and data protection with IT operations. These efforts include providing executive architecture consulting and Information Security Strategy assessments along with providing long term virtual CISO support engagements.