PHILADELPHIA As one of the 10 largest retail chains in the world, Target Corp. knows a thingor two about making a successful sale. According to its risk management strategist, a key factor inthe success of Target's risk management architecture has also hinged on sales, namely selling riskmanagement methodology to internal stakeholders.
If you don't tell the stakeholders what success means, therisk management program will probably fail, or take a long time.Michael D. Kelly, Target Corp.
In a session at the 2012 (ISC)2 Security Congress this week, Target SeniorArchitecture Consultant Michael D. Kelly discussed the information security risk managementarchitecture implementation and maturity process at the Minneapolis-based retail chain. Kelly, a25-year IT veteran who has been working on Target's risk management program for two and a halfyears, said one of his first steps, setting expectations, arguably proved most important.
"First of all, you have to define what success is. In my experience building programs like this,most of the work is up front, setting expectations." Kelly said. "If you don't tell thestakeholders what success means, the risk management program will probably fail, or take a longtime."
Kelly said it's critical not to over-promise and under-deliver. For example, he said it doesn'tmake sense to promise executives that organizational risk will decline during a certain period oftime, as such a calculation is based on too many factors that lie outside the information securityteam's control. Instead, he said, it's better to guarantee that the organization will be able todefine and assess risk, and take action to reduce that risk when deemed necessary.
Kelly advocated the need for stakeholder and executivebuy-in, which includes identifying the business decision makers who will make decisions basedon the information the riskmanagement program provides. Stakeholders should know that the goal of the program isn't toeliminate risk, but to manage it, he said.
"All we should really be talking about is managing risk," Kelly said. "That means understandingit, reacting to it consistently, and having consistent processes to treat risk all throughout thelife cycle."
However, simply getting management's attention can be a challenge. Attendee Ron Trunk, seniorconsultant with Chesapeake Netcraftsmen in Arnold, Md., said communicating IT risk managementconcepts to business leaders can be a challenge.
Trunk said the first obstacle is simply getting management's attention. From there, thecommunication can be difficult because business leaders don't understand the technology side ofrisk.
"A lot don't understand the technology or how it's being used and so they can't assess therisk," Trunk said. "So it's left to the technology side, but they don't know the business."
Kelly acknowledged the challenges of bridging the gap between IT security teams and businessmanagers, noting that at Target he was fortunate because he was able to piggyback off of itsinternal governance team, which was conducting similar work and had already established keyrelationships with executives.
What can help, Kelly said, is making the program as simple and easy to understand as possible.He emphasized the need for terminology that is precisely defined and used by everyone involved withthe program, as well as a consistent focus on defining and measuring success.
"You have to show it to people," Kelly said. "Show them a chart, a table; that will help getbuy-in from your stakeholders."
Getting there though can be hard work. Kelly said Target built a 30-page taxonomy of FAQs, termsand processes within its architecture. That has helped technologists, C-level executives andeveryone in between speak the same language on risk management.
"That way, your stakeholders understand and they say the same things you say without beingprompted," Kelly said. "If you can go to your boss's boss's bosses, and they say the same thingsyou've been saying, that's what I call a measure of success."
However, risk management programs are far from easy. For instance, Kelly said one of the manychallenges he has encountered is classifying threats and vulnerabilities as they are discovered. Atfirst, he said, there was some confusion over regarding what was or wasn't a threat, but finallythe organization converged on a combination of CVE and SCAP that works well.
Today, Kelly said on a scale of 1-5, the maturity of Target's risk management architectureprogram is about a 2.5.
"We've got a long ways to go, and it probably won't ever end, but that's a good thing becausethe maturity will continue to grow as technology changes, and the industry changes these programswill continue to grow."
Source: http://hackingexpose.blogspot.com/2012/09/for-target-retailors-risk-management.html
lana del rey john 3 16 alex smith 49ers miss america 2012 hgtv dream home patriots vs broncos contraband
No comments:
Post a Comment