enterprisesecuritymag

A Strategic Approach to Enterprise- Wide Risk Management

By Edward Marchewka, Director, Information and Technology, Gift of Hope Organ & Tissue Donor Network

Edward Marchewka, Director, Information and Technology, Gift of Hope Organ & Tissue Donor Network

Please elaborate on the challenges that the organizations face in addressing concerns related to information security.

One of the fundamental challenges is having the right resources in order to secure their environment adequately. Today, hackers tend to have more resources than us. Besides, they also don’t play by any rules, but we have to. Another challenge is making stakeholders understand what it is that we are doing and trying to do for the organization. It is this lack of knowledge and ignorance towards the need of the hour that is posing to be a challenge that we must to overcome.

What are the current market trends that are influencing the information security space?

1. Programs that involve adequate enterprise risk management from a security perspective are helping to convey effectively, to executives, stakeholders, and the board on how information security risk is impacting the business and its capabilities. As a result, they understand to allocate appropriately, the resources for addressing security risks.

2. Different users look differently upon the enterprise network. If you can identify what one user works like you can detect the anomalies and mitigate internal risks which may occur due to malicious insiders.

Could you elaborate on your methodology to identify the right partnership/solution providers from the lot?

I take the enterprise risk management approach where I track over a hundred and forty metrics. Through this, I rank them from highest risk to lowest and then from lowest effort to highest effort. This way, I can identify the highest risk that has the lowest effort. In doing so, I will be able to identify the technologies that are needed to solve the problems at had effectively. If I have a higher risk, I will find a solution that can address that or I will ask the business to accept that risk.

We select the solution providers based on a risk-based approach. Given our risk prioritization, most of the vendors in the market may not be able to follow all the way to the top. Because we are adopting high-risk and low efforts approach, some vendor solutions may address the high-risk item. However, if there's a high amount of effort, cost, time, people or money involved then we won't consider that vendor.

What are the strategic points that you go by to steer the company forward?

As an IT leader, I have to bridge several groups of people that range from my technicians and all the way to my executive group. We have conversations about the key business areas through our risk management program, and they provide the direction on which of these key areas to improve upon. While we want our business to grow, at the same time we have to prioritize. We prioritize based on these areas and then from there on, our program disaggregates, as our high-level reporting is an aggregated value; we then break it down into a tactical component. I never talk about firewall rule and amount of technology or anything tactical with my executive group; that I do with my engineers. As an example, something that is very important to us is the availability of the system and that's about preventing downtime due to security or maintenance issues. So, the conversation that I have with the executive group is what is important in key business areas and thus they will provide directions into it.

What would be a piece of advice that you could impart to a CIO who looks to embark on a similar venture along the lines of your service and solutions?

I have been observing that there is a need for a true risk-based matrix program; which a lot of companies have not started to adopt or they don’t know where to start. Starting to adopt the risk-based matrix program is the first step, and once you start managing it, performance improvement professionals can use this matrix to diagnose the current internal state of the organization, plan the desired future state, and coordinate change solutions.

tag

CIO

Read Also

Don't Be A Soft Target: Three Tips To Shut Out Fraudsters

Don't Be A Soft Target: Three Tips To Shut Out Fraudsters

Micah Willbrand, Managing Director for Identity and Fraud Solutions, Experian UK&I
Healthcare and its Vulnerability to Cyber Threat

Healthcare and its Vulnerability to Cyber Threat

Isabel Fox, General Partner and Co-Founder, Luminous Ventures
Securing Email- Still a Mess after Two Decades

Securing Email- Still a Mess after Two Decades

Nick Ioannou, Head of IT, Ratcliffe Groves Partnership
Watching Rome Burn Through Your Single Pane Of Glass

Watching Rome Burn Through Your Single Pane Of Glass

Adam Gwinnett, Head of Enterprise Architecture & Cyber Security | Digital Policing, Metropolitan Police Service

Weekly Brief