Over the last two decades, Information Security has become more interlinked with Risk Management as a discipline, and that is owed to greater technological leaps across various industries, as well as information being hailed as the currency of this generation. This has led to a logical amalgamation between Risk Management and Information Security through Enterprise Risk Management (ERM) frameworks within organizations to ensure that Information Security has relevant end-to-end coverage. Gone are the days when Information Security was seen as something purely driven and owned by an organization’s Information Security team.
A Risk Management and Information Security (RMIS) strategy provides an organization with a road map for the protection of information infrastructure with set goals and objectives to ensure that capabilities and deliverables are aligned with the organization’s goals and risk profile so that effectiveness can be achieved as safely as possible and within risk appetite while providing calculated room for evolution to cater for internal and external factors.
Implementing this strategy can be complex due to the number of moving parts required to do so successfully. The strategy requires collaboration from various levels of an organization, all holding equal importance.
The RMIS Strategy Approach
Due to the complexity of Information Security, a fivestage approach to establishing an RMIS strategy would be highly effective in providing tangible results and allowing considerations for learning between stages. The stages also allow for a thorough strategic development process which is beneficial in implementing a deliberate end-toend approach.
Stage One: Self-Awareness
The first stage of establishing an RMIS relies on the organization’s self-awareness and acceptance of its realistic position. It is crucial to understand the current business conditions that an organization is experiencing and the current risk profile of the organization to use as a baseline. This baseline will determine the level of RMIS strategy capabilities and will dictate how advanced or basic the strategy can be while taking tangible metrics such as capital expenses, budget, and market share into account. The organization cannot aim for an intricate RMIS strategy if the budget and growth plans do not allow for it, hence why, the strategy should be tailor-made to the yield.
The risk profile will determine the acceptable levels of risk the organization is willing to expose itself to which will, in turn, dictate the tolerance levels in the strategy.
- The business performance of an organization is imperative to the first phase as it would only make sense to build an expansive RMIS strategy if the organization is experiencing hearty profits.
- The organization’s risk profile is useful because it will allow the RMIS strategy to be built in alignment with the ERM framework for consistency in ERM goals.
Stage Two: Strategy Definition
The second stage sets out to define the strategy in accordance with planning, targeted capabilities, availability of staff, and the culture of the organization. This comprises setting a two-tier planning process, the targeted state of capabilities linked to the RMIS strategy, the capability of staff, and cultural awareness.
- The RMIS strategy should be rolled out in two tiers, namely, a prescriptive annual plan and a high-level three-to-five-year plan which is malleable enough to be changed based on experiences from the annual plan.
- The targeted state of future capabilities must be agreed upon by the leaders of the organization as this would present the desired level upon execution of the RMIS strategy.
- The availability and capability of staff is a crucial element in any strategy as the people in an organization would be the driving force behind rolling out a strategy in business operations.
- The culture of an organization would determine what kind of adoption and communication to use for the strategy. This is an important aspect of any strategy as the level of acceptance of a strategy could either make or break the objectives of such.
Stage Three: Strategy Development
The third stage focuses on the development of the strategy using a governance model, determining the extent to which the strategy will be used operationally, and determining the current competency of staff. This stage comprises of defining the specific governance model to be used, deciding whether the RMIS strategy includes operational components or if it will be used for consultative purposes only, and considerations for staff competency and oversight.
- The selected governance model should allow for monitoring, both, the individual parts of the organization, as well as the sum of all parts holistically.
- The addition of operational components in an RMIS strategy is not ideal as this runs the risk of having gaps in robust environments, therefore, having the strategy rather being a consultative tool would be far more beneficial to the organization.
- Staff need to be competent and able to provide required oversight upon execution of the strategy. It is important to perform a gap analysis to determine if staff are equipped to handle the execution of the strategy in terms of objectives. If the current staff are found to have competency gaps, training or resourcing must be applied to raise the competency levels to the requirements of the strategy.
Stage Four: Metrics
The fourth stage entails the measurement of the RMIS strategy. This would typically include the use of Key Performance Indicators (KPIs) to measure the performance and effectiveness of the RMIS strategy.
- The development of KPIs is useful to identify the value of the RMIS strategy in different parts of the organization. This provides objective data as a measurement tool for success or failure and would assist in course correction or damage control if needed.
- The KPIs should have clear and defined thresholds to be as effective as possible when measuring acceptable and unacceptable limits and when comparing alignment to the organization’s goals.
Stage Five: Implementation
The fifth and final stage of the RMIS strategy involves the efficient implementation of the strategy by ensuring that conformance, sound governance, and a bespoke communication plan are all established within the organization. This entails setting consequences for nonconformance, establishing an oversight committee, and ensuring constant effective communication via a communication plan.
As all the above suggests, the success or failure of an RMIS strategy heavily depends on several variables within an organization but if successfully executed, it can be invaluable in keeping an organization safe, responsible, and relevant in this fast-paced environment.
Current trends have shown us that to evolve in this world of information, organizations cannot remain dormant in the hope that status quo strategies and processes are enough to stand the test of time.
There is no substitute for a cutting-edge strategy and implementing an RMIS strategy with the above considerations would be a game-changing tool to take an organization to the next level. The RMIS includes many useful applications. However, crafting a well-thoughtout strategy will turn your RMIS from simply being filled with features into an invaluable partner in managing risk more effectively.
Developing a strategy that will help you take advantage of available resources, respond effectively to challenges, use your time and energy wisely—and focus on getting the right things done, will be a helpful assistance to your resource management. RMIS strategy is a roadmap to achieving your goals.
It is important to remind your organization that Information Security should be included in the overall ERM strategy to ensure full coverage and alignment with objectives. After all, each component in an organization should be seen as a contributor to the ecosystem and as we all know, an ecosystem can only function optimally when all parts of it work harmoniously for the greater good.
Disclaimer: The views and opinions expressed in this article reflect those of the author in his personal capacity and not of his organization, company, or colleagues.