by French Caldwell | March 7, 2014 | 2 Comments
I’ve spoken to a few corporate boards on IT governance and risk management, and I’ve one question that I always ask — but first let me clarify this Target CISO tweet with my twitter handle on it.
In an internal Gartner e-mail thread about the Target CIO resigning, I added some irony, writing: “Another good reason to have CISO — so the CISO can resign.” Violating all manner of e-mail and twitter etiquette, my good friend and colleague Doug Laney blasted my snarkiness to the world in a tweet — thanks, Doug! I mean it — thanks — wish I’d thought to tweet it.
But it’s really not funny, is it, when a CIO must resign her post over something she probably had been trying to fix for some time. I’ve no special inside knowledge of Target, but we’ve all seen other large organizations that have had big security, risk management, or compliance failures, and typically someone, somewhere has made the problem known, but other business priorities — making a project deadline, opening new big box stores in an emerging market, or closing the deal for a merger — seem more tangible to the powers-that-be (PTB) than dealing with security or risk issues. ‘We’ve lived with it so far — how do you know something bad will happen, anyway, Ms CIO?’ It’s a real stumper when the PTBs just don’t get it — especially when one fail after another is in the news!
Two factors often emerge when there is a big failure — 1) There’s no one outside of IT who acknowledges ownership of the risk; 2) There’s no one coordinating and providing oversight of the many different risk silos.
Target is just the latest in a long line of consumer giant security fails — remember TJX, remember Sony?
So, after the fail, they all get religion. The answer lies not just in getting a real corporate CISO, but also requires getting true business leader ownership of the risks. That can only come from the very top, from those who are truly responsible to the shareholders for governance — the Board. Tone at the top is the one ingredient of risk management that even when you are just a pinch short, your recipe will end in disaster.
So besides running an effective coordinated security program, there’s another role for a CISO in a large dynamic enterprise, and that’s working with the leadership of the company and ensuring that IT risk management issues are addressed in business initiatives. For large organizations, the CISO will have her hands full running a corporate-wide IT security program and organization, and to have that kind of oomph, she must have a direct line to the board.
So, if you’re a corporate director, I have just one question for you: ‘Can you tell me the name of your CISO?’
Category: Cybersecurity IT Governance Tags: board, ciso, Risk Management, security, target
by French Caldwell | February 28, 2014 | 4 Comments
The first ever Gartner legal IT scenario is out, and it’s both controversial and not. Many of the disruptions that we discuss in the scenario are well underway, such as the increasing demand for legal process outsourcing (LPO) and the use of advanced analytics — so what’s new? Well, new are the dramatically disruptive effects arising from the accelerating adoption of legal IT. Here are a few predictions:
- By 2020, 75% of U.S. and U.K. corporations will use LPO.
- By 2019, 75% of corporate legal and IT departments will have shared staff.
- By 2018, legal IT courses will be required for the graduates of at least 20 U.S. Tier 1 and Tier 2 law schools.
– if you want more, please read the research. We’ve provided analysis and recommendations for CLOs, law firms, CIOs, and legal IT vendors and service providers in each of the four futures in the scenario. And we’ve laid out current day evidence and future indicators to guide your legal IT strategy and investments.
One big hint though for all those legal IT vendors — it’s time to get big or get out. Frankly, half of you guys will be gone within another 36 months. Good luck!
Category: Legal IT Tags: analytics, compliance, legal, legal process outsourcing, LPO, smart machines
by French Caldwell | February 27, 2014 | 2 Comments
Vendor Risk Management Is Flashing Hot
I went to the RSA conference once — it was really busy and hearing from my buddies at the front, it’s now busier than ever. So much for the boycott, eh?
A lot of my security buddies are at RSA this week, and are broadcasting the buzz back to the rest of us here at Gartner. One piece of gossip that got my attention was shared by Erik Heidt. He said that many of the financial services attendees are talking about the FS regulators ramping up vendor risk oversight requirements on FS firms. Third party risk management is the one area where I do get involved in security — I always say I’m a risk management analyst whenever anyone asks me a really tricky security question.
Third party risk management is pretty broad; it covers downstream risks associated with customers and prospects, business partners and resellers — and downstream is where much of the fraud, bribery and corruption comes into play — and it covers upstream risks associated with suppliers in manufacturing, mining, oil and gas, retail and other supply chains, plus the risks associated with vendors that provide business process outsourcing, information services, or manage IT assets — these vendors can range from a major outsourcer to a visiting nurse. We group these vendors that somehow touch information which you own or for which you are accountable into VRM — it’s focused mostly on the logical supply chain, whereas supplier risk management focuses on the physical goods supply chain. For more on this, I’ve included at the bottom of this post our working definition for the upcoming Magic Quadrant for Vendor Risk Management, which is slated for Q4 this year.
Anyway, is the buzz about VRM at RSA right? — yes. Ever since late October when the Office of the Comptroller of Currency published guidelines saying that VRM should be part of the ERM program, we have seen an uptick in inquiry on vendor risk management. I expect other FFIEC regulators — FRB, FDIC, NCUA and CFPB — to continue raising the bar as well.
Now there are a couple of immediate problems with complying with the OCC guidelines — first they make the assumption that FS firms have ERM programs. I’m sure most do in name, but frankly, in practice many don’t. Secondly, most FS firms don’t have a vendor management function, and if you don’t do vendor management, then how can you do vendor risk management?
To deal with the onslaught of client interest, we’ve been ramping up on VRM here at Gartner. First we formed a dedicated vendor management team, headed up by Linda Cohen, and including my good friends Helen Huntley, Chris Ambrose, and Gayla Sullivan. You may remember that Helen and I led a special report on VRM in 2009 when the first bubbles of VRM began to appear in the risk management pond. Now the pond is in full boil, and we’re worried about a steam flash!
By the way, it’s not just FS clients driving the demand — healthcare and E&U are getting into this too in a big way, and no industry vertical will be left behind. You can thank cloud computing for that!
We’re getting behind the demand for VRM research in a big way. Very soon, you’ll see a note from Kristian Steenstrup and Gayla Sullivan on VRM for operational technology. Looking ahead, Chris Ambrose and I are working on updating Gartner’s Simple Vendor Risk Management Framework. There’s nothing wrong with it now, and it’s very popular, but we want to add more detail on sources of risk data, and key risk indicators for VRM.
Chris, Gayla and I are also working on the new VRM magic quadrant, and we’re starting to track services for VRM. This is in addition to the work that other analysts like Debbie Wilson, Ray Barger and Noha Tohamy are doing on supplier risk management, Jay Heiser and Rob McMillan on VRM standards, and Khushbu Pratap on auditing vendors. And I’m also working on some of those downstream risk issues — expect a note on FCPA solutions in Q2.
VRM Technology Definition
Vendor risk management (VRM) is the process of ensuring that the use of third-party service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. VRM solutions support enterprises that must assess, monitor and manage their risk exposure from third parties that provide IT products and services, or that have access to enterprise information.
Category: Cloud compliance Cybersecurity Risk Management Third Party Risk Management Vendor Contracts Tags: cloud, cybersecurity, rsa conference, vendor risk management
by French Caldwell | February 21, 2014 | 1 Comment
As part of its anti-patent troll initiative, the White House announced a new crowdsourcing initiative at PTO. Should be interesting. Is government by the people taking on new expanded meaning and moving beyond representative democracy?
The idea of crowdsourcing patent review was tested on a few hundred patents already. PTO used Stack Exchange to test it. Interestingly, one of the patents shot down in this test was an application from Microsoft, and as explained by Joel Spolsky prior art from Microsoft was the basis for the refusal.
However, looking at the activity currently on Stack Exchange, I’m not sure how great a service PTO will get there when the novelty wears off. Since no one is really paid for their expertise, it doesn’t seem totally suited for this task. How much independent expert input would a totally voluntary service get? Seems like you’d get a lot of competitors who will fight patents, and that might help, but is it sufficient?
Developing panels of independent experts on Mechanical Turk or a similar service would bring in more independent expertise. Article One Partners is a crowdsourcing patent research service which Microsoft itself has used.
Perhaps a mix of open public input and crowdsourced expert panels would work to fight the trolling problem.
Category: compliance Crowdsourcing Legal IT public policy Social Technology Tags: crowdsourcing, Microsoft, patent, White House
by French Caldwell | February 20, 2014 | 1 Comment
I WASN’T SURE HOW TO WRAP THIS. HOPE YOU LIKE IT. HAPPY #GIGD!
Global Information Governance Day — who knew. Not I, and I must apologize to those who take such industry observance days seriously — which I don’t — but I forgot to bring flowers or a bottle of wine or something. What’s really appropriate for #GIGD anyway?
Not that information governance is not a serious subject, but a tweet jam on the topic is about as useful as a band-aid on a skull fracture. Information governance is just broken in most organizations, and frankly, in most cases it isn’t going to be rescued.
First of all information governance just doesn’t command budget, does it. No matter how much you talk to executives about how much better their decisions could be if they had more reliable, accurate and timely information, they just aren’t going to pay for it. Sorry — but it’s the truth. Just ask all those KM folks out there (in the interest of full disclosure, I was a KMer and a darn good one). Like KM, in the context of business information, IG just becomes another librarian function.
The other day a CIO shared that her discretionary budget had been whacked to zero. She was cancelling all her projects, but one. Guess what that one project was that didn’t need any budget — yep, IG!
But what if we could find a problem where doing IG well really has clear and direct payoffs — like KM did when CRM found it. The marriage of KM and CRM has been an outstanding success. Certainly not as strategic as the marriage of KM to business decision making or business performance would have been, but no one can doubt that CRM really loves KM and vice versa. In the IT world, money is love, and CRM sure has a lot of money.
But who loves IG? E-Discovery — that’s who. But ugh, IG doesn’t really love e-discovery and that’s sad. IG want’s to be even bigger than e-discovery — Big IG wants to really find its full potential in supporting business decision makers to make better decisions — and not just the big decision makers, but all of those people who are making crucial decisions all across the enterprise, and even customers who are making decisions.
Unfortunately, that’s just not going to happen. Big IG is stuck with regulation and litigation for now. But there’s a lot of room for little IG in all those business digitalization projects — frankly they don’t work without IG — but this isn’t the Big IG that we all want to be. So what! — the point is there is a little IG in every business digitalization project and as the Internet of Things takes off, all those little IG’s will add up to a mammoth amount of IG — but they are not going to be controlled from BIG IG CENTRAL. Ain’t gonna happen — get over it.
WE ALL NEED A LITTLE IG!
So, except for regulation and litigation where Big IG is being forced into an arranged marriage with Big Discovery, there’s no one else out there for Big IG. On the other hand, a whole bunch of little IGs really add up to a whole lot of love.
Category: compliance Legal IT Tags:
by French Caldwell | February 15, 2014 | 1 Comment
I wouldn’t read too much into the headline of this WSJ article. Security intel people warn of problems all the time – it’s their job. A real bit of news is in the last paragraph of the article:
Several members of Target’s cybersecurity team left the company in the months before the hack, according to people familiar with the matter and a search of social media profiles. Many left for more prestigious jobs at other firms, the former employee said.
As cysec becomes a prominent issue for execs, chief legal officers and corporate directors, companies who are building IT security teams are going to be poaching experienced security pros from other companies. This poaching is a significant risk and companies should do an assessment of their own susceptibility to poaching.
Category: Cybersecurity Tags:
by French Caldwell | February 4, 2014 | 3 Comments
Gartner’s coverage of vendors in the GRC marketplace is about to change. The main reason for the change, as noted in the most recent Enterprise Governance, Risk and Compliance Platforms Magic Quadrant, is that GRC solutions buyers are shifting away from a platform-centric approach to one focused on targeted solutions for specific use cases.
A platform approach is attractive for its ability to get all risk management and compliance professionals on the same system of record. Being on the same system of record allows more effective sharing of risk and controls information, and the elimination of inefficient overlaps between risk management and compliance silos. Internal auditors for instance can gain access to IT security’s risk assessments, thus enabling more effective allocation of audit resources to higher risk areas. And IT security and audit, by using the same taxonomies for risks and controls, can reach agreement on where remediation is most needed. Platforms also enable improved executive and board level reporting through aggregation of risk and control data across risk management and compliance programs.
On the other hand, buyers of platform-based solutions usually end up sub-optimizing something. For instance a GRC vendor may have a superb solution for corporate compliance management, but poor operational risk management capabilities. When most enterprises had fairly immature risk management and compliance organizations, the trade-off of sub-optimizing some technology solutions in order to get all the organizational silos on the same system of record was reasonable. However, as organizational maturity improves, the gaps in technology support become more of a limitation.
As more enterprises have matured their risk management and compliance functions, the market has reached the point where buyers want targeted solutions that fit their needs for specific use cases. The following use cases are the subject of ongoing GRC research at Gartner:
- Use case 1: IT Risk Management (ITRM). The use of GRC tools for management, measurement, and reporting against IT risk. While this may include security operations data and processes, implementations that are primarily focused on security operations, analysis, and reporting will be considered “below the line” and not part of this use case.
- Use case 2: Operational risk management (ORM). The use of GRC tools for management, measurement, and reporting against operational risk. Enterprise risk management, considered as the impact of risks on enterprise strategic objectives, will also be addressed in this use case.
- Use case 3: Audit management. Audit solutions used by internal audit teams that document and track phases of the audit cycle — audit planning, audit risk assessment, audit project management, time and expense management, issue tracking, audit work paper management, audit evidence management, and reporting. Implementations primarily for the benefit of non-audit functions are excluded.
- Use case 4: Vendor risk management (VRM). The use of VRM tools for management, measurement, and reporting against vendor and third party related risk. This will include capabilities to identify, classify, monitor, and recommend risk mitigation to support business operations and regulatory requirements.
- Use case 5: Business continuity management (BCM). Supporting the coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying and mitigating operational risks that can lead to business disruptions, and recovering mission-critical business operations after a disruptive event turns into a disaster.
- Use case 6: Corporate Compliance and Oversight. Compliance management and reporting associated with corporate governance codes, ethics, and financial reporting integrity regulations, such as Sarbanes-Oxley, Turnbull and others, and other regulations, standards and policies that materially affect the compliance posture of the overall enterprise.
Having all these use cases supported by the same vendor on the same platform is helpful but not mandatory. Vendors who are opening up their platforms to make integration easier are more competitive in this new phase of the GRC marketplace.
Recognizing the shift in the GRC marketplace from platform-centric to targeted solutions, Gartner will no longer publish the Enterprise Governance, Risk and Compliance Platform magic quadrant or the IT GRC Management marketscope. We have instead developed an aggressive 2014 GRC technology agenda with specific deliverables for targeted solutions, including the following, with lead author:
- Market Guide for Audit Management – Khusbu Pratap
- Magic Quadrant for Operational Risk Management – John Wheeler
- Magic Quadrant for Security & IT Risk — Paul Proctor (Erik Heidt will lead additional Gartner for Technology Professionals deliverables)
- Magic Quadrant for Business Continuity Planning — Roberta Witty
- Magic Quadrant for Vendor Risk Management — Chris Ambrose
- Market Guide for Corporate Compliance and Oversight — French Caldwell
These deliverables will assess both broad-based GRC platform vendors, as well as vendors who offer only targeted solutions.
Of course, the GRC platform market is far from dead. Besides using platform solutions to enable cross-silo collaboration, many enterprises designate one of their GRC platforms as the platform of record for higher level reporting for enterprise risk management, strategic planning, and incident management. To facilitate collaboration between risk silos, and cross-enterprise coordination and reporting, we recognize that many buyers in the market will still want to compare GRC platforms. To enable comparison of GRC platform vendors who address multiple use cases, we will produce the following research note that will rate the top 10 GRC vendors on each of the use cases and also provide an overall ranking of the platforms:
Most of the above research notes will be delivered in Q3 and Q4 of 2014. In the meantime, our clients are welcome to contact the analysts above. Vendors, whether client or not, who wish to brief us on their capabilities to support any of the use cases above or who have questions on the process should please contact Gartner’s vendor relations to schedule a briefing.
We recognize this is a large change to how GRC is covered at Gartner, but it is indicative of the market direction. We expect our competitors to follow suit.
Category: Applications compliance GRC IT Governance Risk Management Tags: compliance, governance, GRC, Risk Management, vendor risk management
by French Caldwell | January 17, 2014 | 1 Comment
I came across a survey report last week from security and investigations service firm Stroz-Freiberg that highlights the fundamental tenet of effective compliance and risk management – tone at the top. The survey of 764 information workers shows that senior managers are the worst offenders when it comes to using personal cloud services to manage work related information. 87% of them regularly upload work documents to personal cloud accounts or e-mail.
This revelation of senior manager culpability in poor cloud security led me to share an ironic prediction with my colleagues – By 2020, enterprises will incorporate senior management redundancies into their infosec maturity programs. No, this is not an official Gartner prediction!
Seriously, though – think about it. If senior managers are willing to bypass the IT organization and its security strategies, then what about the rest of the employees? Now, here’s some real irony – the report says that 54% of lower ranking employees believe that security is the IT organization’s problem. Essentially, these employees are saying, “Catch me if you can.” So, is that passive-aggressive behavior, or what? And it all starts at the top.
Meanwhile, IT is jumping through hoops to make sure that they can prove that cloud service providers used by the enterprise can demonstrate that they have effective security compliance and risk management. And thousands of providers are responding to their customers’ demands for site visits, third party audits, certifications, and responses to bespoke questionnaires that have hundreds of questions. Most often all this activity is driven by compliance mandates – meaning that there are penalties for not properly controlling certain types of information, most often personal information. But when they use personal cloud services, there’s a risk that senior managers and their followers are bypassing all of those controls that IT and the service providers are working so hard to ensure are in place and working.
The question on whether all this compliance and audit activity is worth it is legit. With respect to enterprise-grade SaaS vendors, my colleague Jay Heiser says he’s yet to find a SaaS risk event that had a material impact. If you know of one, please call Jay.
Regardless of what we may think of the risks, the bottom line on the Stroz-Freiberg survey is that tone at the top matters – and it matters more than anything else. When something goes wrong, are senior managers at your organization asking what they did wrong, or are they asking what IT security did wrong? At Gartner’s 2013 Barcelona Symposium I attended an organizational change workshop run by business relationship guru Keith Ferrazi. Keith said that any real change starts with the leader who wants change – and first that leader must change. So, to improve security and risk management, business leaders must look first to themselves and their own behavior, and be open to making the biggest change in their own behavior.
Unfortunately, my colleague Tom Scholtz said in his recent security managers survey that involvement of non-IT leaders in security governance is waning, a finding that is seconded by another colleague John Wheeler who found in his risk managers survey that investment in technology for risk management is shifting to technical security solutions. This lack of involvement by leaders and the dependence on technical solutions is unlikely to encourage employees to follow the rules.
With the explosion of cloud services and the ease of use of personal clouds, it’s unrealistic that employees would quit using them for work purposes. Senior managers need to remember that what they do, their employees will do. Business leaders who seriously assess the risks of personal cloud services, establish responsible (and simple) rules on the use of personal clouds, and then follow those rules themselves, are the ones that will be most successful at protecting against the loss of sensitive information. It’s those leaders and not IT security who will best protect the enterprise.
Category: Cloud compliance IT Governance Risk Management Tags:
by French Caldwell | January 16, 2014 | 1 Comment
The comments from readers on this story about two Yale students who built an online course comparison service are as interesting as the story itself. (Click here for poll.) Aggregating data has created a boon for internet information services, and these Yale students were aggregating information to help their fellow students make hard decisions. After all, these students are spending thousands of dollars per course. These two brothers took information that was practically obscure, such as evaluations of professors — perhaps especially evaluations of professors — and made it more transparent.
The university may have a point in that some of the information may not have been collected for the purposes that these two students were using it for; yet, does that make the service they were providing less legitimate, or does that demonstrate the value of information when it is aggregated in a meaningful way to support decision making? In fact, what good is information if it is not aggregated in a useful way — why spend the time and effort to create the information anyway, if you are just going to disperse it in a fashion that makes its value trivial?
University’s support and promote research that does just what these two students did — bring together information that is legitimately available and present it in a way that enables important decisions. The service provided by these two students most likely supported more actionable decision-making in the span of a few days than all the public policy research published by Yale faculty in the last year.
After you read the story and some of the comments, especially the comment from Harry Yu, one of the services creators, how about taking this poll? Click here for poll. Thanks!
For poll results, click here.
Category: Social Technology Transparency Tags: reputational risk
by French Caldwell | December 13, 2013 | 1 Comment
The final guidance from the FFIEC on social media risk management for financial institutions has been promulgated. It is effective immediately. As I mentioned earlier this year, regulatory guidance of this sort is not optional.
I did a study recently on the public comments for my doctor in law and policy program at Northeastern University– if you’d like some rather poor entertainment I did a 7 minute youtube video summary of the analysis of public comments. Through the analysis of public comments, perceptions of cost and complexity emerged as consistent themes. Cost was expressed by the commenters in terms of both time and expense that would be needed to comply with the regulations, as well as technology investments that could be required. Complexity was expressed as the breadth of proposed guidance with concerns that it attempted to offer a broad-brushed overlay on existing regulations without actually modifying the regulations. Examples of complexity cited in the public comments included having to comply with the proposed guidance as well as existing social media guidance from other regulators which could conflict, the question of the legality of monitoring employees’ personal use of social media, concerns with respect to ensuring consumer privacy, and the challenges with the means of presenting mandatory disclosures to consumers within the technical limits of social media.
While the most common public comments from the financial institutions look to have been addressed in some fashion, it is indubitable that the guidance will require more strict attention to social media compliance, which will require more investments in time, process and, in some larger firms, technology. One issue that remains particularly salient for Gartner clients is the issue of employee monitoring.
I am working through the final guidance with the goal of publishing a Gartner impact analysis. After you read through the guidance, if you identify a particular aspect you would like to make sure is addressed, then please comment here in this blog.
Category: Cloud compliance GRC public policy Risk Management Social Technology Tags: compliance, Financial Regulations, Risk Management, social