A Strategic Approach to Enterprise- Wide Risk Management

Edward Marchewka, Director, Information and Technology, Gift of Hope Organ & Tissue Donor Network

Edward Marchewka, Director, Information and Technology, Gift of Hope Organ & Tissue Donor Network

Please elaborate on the challenges that the organizations face in addressing concerns related to information security.

One of the fundamental challenges is having the right resources in order to secure their environment adequately. Today, hackers tend to have more resources than us. Besides, they also don’t play by any rules, but we have to. Another challenge is making stakeholders understand what it is that we are doing and trying to do for the organization. It is this lack of knowledge and ignorance towards the need of the hour that is posing to be a challenge that we must to overcome.

What are the current market trends that are influencing the information security space?

1. Programs that involve adequate enterprise risk management from a security perspective are helping to convey effectively, to executives, stakeholders, and the board on how information security risk is impacting the business and its capabilities. As a result, they understand to allocate appropriately, the resources for addressing security risks.

2. Different users look differently upon the enterprise network. If you can identify what one user works like you can detect the anomalies and mitigate internal risks which may occur due to malicious insiders.

Could you elaborate on your methodology to identify the right partnership/solution providers from the lot?

I take the enterprise risk management approach where I track over a hundred and forty metrics. Through this, I rank them from highest risk to lowest and then from lowest effort to highest effort. This way, I can identify the highest risk that has the lowest effort. In doing so, I will be able to identify the technologies that are needed to solve the problems at had effectively. If I have a higher risk, I will find a solution that can address that or I will ask the business to accept that risk.

We select the solution providers based on a risk-based approach. Given our risk prioritization, most of the vendors in the market may not be able to follow all the way to the top. Because we are adopting high-risk and low efforts approach, some vendor solutions may address the high-risk item. However, if there's a high amount of effort, cost, time, people or money involved then we won't consider that vendor.

What are the strategic points that you go by to steer the company forward?

As an IT leader, I have to bridge several groups of people that range from my technicians and all the way to my executive group. We have conversations about the key business areas through our risk management program, and they provide the direction on which of these key areas to improve upon. While we want our business to grow, at the same time we have to prioritize. We prioritize based on these areas and then from there on, our program disaggregates, as our high-level reporting is an aggregated value; we then break it down into a tactical component. I never talk about firewall rule and amount of technology or anything tactical with my executive group; that I do with my engineers. As an example, something that is very important to us is the availability of the system and that's about preventing downtime due to security or maintenance issues. So, the conversation that I have with the executive group is what is important in key business areas and thus they will provide directions into it.

What would be a piece of advice that you could impart to a CIO who looks to embark on a similar venture along the lines of your service and solutions?

I have been observing that there is a need for a true risk-based matrix program; which a lot of companies have not started to adopt or they don’t know where to start. Starting to adopt the risk-based matrix program is the first step, and once you start managing it, performance improvement professionals can use this matrix to diagnose the current internal state of the organization, plan the desired future state, and coordinate change solutions.

Check this out: Top Risk Management Solution Companies

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee