Securing the Digital World

Compensating for Control Issues

Jan 22, 2016 | by Mason Karrer |

Whoa wait a this a psychology lesson? Well if so hopefully it's no less comfortable than your favorite chair!

Last week we kicked off a new blog series on Issues Management. Read Steve's initial volley which neatly frames up the problem of the "Issues Pit". This week we'll discuss the process of compensating for control gaps; an often overlooked aspect of managing issues.

Basic risk and control doctrine calls for identifying multiple methods to address risk. We generically refer to these risk treatment methods as controls. Typically (though not always) the more controls we can identify for a particular risk, the better. It's then the nature of things that some controls will be deemed more important than others. Some will be so important that they'll be required to be in place all the time and receive a flashy label like "key control", "primary control", etc.

Since it's inevitible that controls can and will fail, those important key controls will often benefit from having separate secondary controls to backstop the primaries and reduce the impact of a control failure. This is all very sensible and seemingly omnipresent not just in business but practically every aspect of daily life. (The generic example of speed limits + seatbelts + airbags + baby seats comes to mind.)

If control issues are unavoidable then it's certainly preferred to discover them on your terms versus an external actor's. Nothing throws an organization into a panic faster than an unplanned crisis. And the after-action analysis will almost always point to control failures as contributing factors or root causes. In other words controls must be regularly tested to ensure they function properly; which underpins an essential discipline of compliance. As control issues (gaps) are discovered, a remediation process to address those issues must also be in place. This is unfortunately where organizations who otherwise believe they have a good handle on things may unknowingly be rolling the dice instead.

Suppose the business invests in new technology which results in a critical control issue emerging and the only proposed remedy is to implement some other new, expensive system on top of it? If the sole quantitative decision point is mere cost then the leadership is not very well equipped to make a fully informed decision. Which means they're between a rock and a hard place wishing they had better information and more of it. Should they just write the check and risk overspending for immeasurable gain? Or hold off and think about it some more? Maybe some more data will magically appear to make the decision easier. Which increases the chances the purchase will be pushed off entirely and raise the inherent risk level in the process.

Situations like these are where the value of a GRC program can really shine through. What if the leadership had reliable metrics on the risks associated with the control gap that could be used to compare the cost of the risk against the cost (value) of the solution? What if the risk could be partially reduced through other resources the company already had under roof? Perhaps a smaller investment could then sufficiently address the remaining gap. Not only would the risk be measurably lower. But the inherent value ceiling of those other investments would also go up and increase ROI. Either way management would have a much better framework for balancing the decision against the many other strategic decisions they have to make. And given a choice no executive prefers blindly guessing when there's otherwise good intel available to inform their decision.

This mix of risks and controls and exposure is constantly shifting as business and markets fluctuate and security threats advance. Part of a healthy issues management program includes solid remediation strategies with the ability to quickly identify alternative controls to supplement, or even fully compensate for primary controls in a pinch. Understanding the criteria for determing those compensating control relationships, inherent limitations, and mapping all that together is impossible without a full inventory of risks, assets, and controls and a solid system of record for managing them. This is another area where GRC capabilities are perfectly suited to deliver value through process enablement, efficiency, and risk reduction.

We've spoken before about the potential competitive advantage that organizations can harness by maturing their GRC processes. Imagine if your organization never feared an audit because your compliance posture was already assured through healthy business processes. By replacing guesswork with the ability to make informed, risk-rationalized decisions not just for compliance, but for risk taking growth strategies, organizational leaders can much more confidently guide the business forward. In these times of extreme global competition and front page security breaches, what would that kind of assurance be worth to the leadership in your organization?

For more information check out this short video that shows how RSA Archer can help with your issues management process.