by French Caldwell | January 17, 2014 | 1 Comment
I came across a survey report last week from security and investigations service firm Stroz-Freiberg that highlights the fundamental tenet of effective compliance and risk management – tone at the top. The survey of 764 information workers shows that senior managers are the worst offenders when it comes to using personal cloud services to manage work related information. 87% of them regularly upload work documents to personal cloud accounts or e-mail.
This revelation of senior manager culpability in poor cloud security led me to share an ironic prediction with my colleagues – By 2020, enterprises will incorporate senior management redundancies into their infosec maturity programs. No, this is not an official Gartner prediction!
Seriously, though – think about it. If senior managers are willing to bypass the IT organization and its security strategies, then what about the rest of the employees? Now, here’s some real irony – the report says that 54% of lower ranking employees believe that security is the IT organization’s problem. Essentially, these employees are saying, “Catch me if you can.” So, is that passive-aggressive behavior, or what? And it all starts at the top.
Meanwhile, IT is jumping through hoops to make sure that they can prove that cloud service providers used by the enterprise can demonstrate that they have effective security compliance and risk management. And thousands of providers are responding to their customers’ demands for site visits, third party audits, certifications, and responses to bespoke questionnaires that have hundreds of questions. Most often all this activity is driven by compliance mandates – meaning that there are penalties for not properly controlling certain types of information, most often personal information. But when they use personal cloud services, there’s a risk that senior managers and their followers are bypassing all of those controls that IT and the service providers are working so hard to ensure are in place and working.
The question on whether all this compliance and audit activity is worth it is legit. With respect to enterprise-grade SaaS vendors, my colleague Jay Heiser says he’s yet to find a SaaS risk event that had a material impact. If you know of one, please call Jay.
Regardless of what we may think of the risks, the bottom line on the Stroz-Freiberg survey is that tone at the top matters – and it matters more than anything else. When something goes wrong, are senior managers at your organization asking what they did wrong, or are they asking what IT security did wrong? At Gartner’s 2013 Barcelona Symposium I attended an organizational change workshop run by business relationship guru Keith Ferrazi. Keith said that any real change starts with the leader who wants change – and first that leader must change. So, to improve security and risk management, business leaders must look first to themselves and their own behavior, and be open to making the biggest change in their own behavior.
Unfortunately, my colleague Tom Scholtz said in his recent security managers survey that involvement of non-IT leaders in security governance is waning, a finding that is seconded by another colleague John Wheeler who found in his risk managers survey that investment in technology for risk management is shifting to technical security solutions. This lack of involvement by leaders and the dependence on technical solutions is unlikely to encourage employees to follow the rules.
With the explosion of cloud services and the ease of use of personal clouds, it’s unrealistic that employees would quit using them for work purposes. Senior managers need to remember that what they do, their employees will do. Business leaders who seriously assess the risks of personal cloud services, establish responsible (and simple) rules on the use of personal clouds, and then follow those rules themselves, are the ones that will be most successful at protecting against the loss of sensitive information. It’s those leaders and not IT security who will best protect the enterprise.
Category: Cloud compliance IT Governance Risk Management Tags:
by French Caldwell | January 16, 2014 | 1 Comment
The comments from readers on this story about two Yale students who built an online course comparison service are as interesting as the story itself. (Click here for poll.) Aggregating data has created a boon for internet information services, and these Yale students were aggregating information to help their fellow students make hard decisions. After all, these students are spending thousands of dollars per course. These two brothers took information that was practically obscure, such as evaluations of professors — perhaps especially evaluations of professors — and made it more transparent.
The university may have a point in that some of the information may not have been collected for the purposes that these two students were using it for; yet, does that make the service they were providing less legitimate, or does that demonstrate the value of information when it is aggregated in a meaningful way to support decision making? In fact, what good is information if it is not aggregated in a useful way — why spend the time and effort to create the information anyway, if you are just going to disperse it in a fashion that makes its value trivial?
University’s support and promote research that does just what these two students did — bring together information that is legitimately available and present it in a way that enables important decisions. The service provided by these two students most likely supported more actionable decision-making in the span of a few days than all the public policy research published by Yale faculty in the last year.
After you read the story and some of the comments, especially the comment from Harry Yu, one of the services creators, how about taking this poll? Click here for poll. Thanks!
For poll results, click here.
Category: Social Technology Transparency Tags: reputational risk
by French Caldwell | December 13, 2013 | 1 Comment
The final guidance from the FFIEC on social media risk management for financial institutions has been promulgated. It is effective immediately. As I mentioned earlier this year, regulatory guidance of this sort is not optional.
I did a study recently on the public comments for my doctor in law and policy program at Northeastern University– if you’d like some rather poor entertainment I did a 7 minute youtube video summary of the analysis of public comments. Through the analysis of public comments, perceptions of cost and complexity emerged as consistent themes. Cost was expressed by the commenters in terms of both time and expense that would be needed to comply with the regulations, as well as technology investments that could be required. Complexity was expressed as the breadth of proposed guidance with concerns that it attempted to offer a broad-brushed overlay on existing regulations without actually modifying the regulations. Examples of complexity cited in the public comments included having to comply with the proposed guidance as well as existing social media guidance from other regulators which could conflict, the question of the legality of monitoring employees’ personal use of social media, concerns with respect to ensuring consumer privacy, and the challenges with the means of presenting mandatory disclosures to consumers within the technical limits of social media.
While the most common public comments from the financial institutions look to have been addressed in some fashion, it is indubitable that the guidance will require more strict attention to social media compliance, which will require more investments in time, process and, in some larger firms, technology. One issue that remains particularly salient for Gartner clients is the issue of employee monitoring.
I am working through the final guidance with the goal of publishing a Gartner impact analysis. After you read through the guidance, if you identify a particular aspect you would like to make sure is addressed, then please comment here in this blog.
Category: Cloud compliance GRC public policy Risk Management Social Technology Tags: compliance, Financial Regulations, Risk Management, social
by French Caldwell | October 4, 2013 | 3 Comments
If you follow the shutdown news, you’ll no doubt hear some talking heads saying the shutdown will last a few more days, and some cleverer pundits starting to link the timing for the shutdown to the debt limit deadline of 17 October. Business, government and IT executives need a scenario on which to base longer term decision making related to the shutdown, so I’ve put on my inside the beltway strategist hat and come up with one. I hope it helps.
First, the background. Without going into political issues at stake, it’s clear that Congress is hopelessly deadlocked. Neither political party is in control of Congress, and both parties are split further by factions. There’s no clear path forward for a bipartisan coalition to pass a continuing resolution to fund government operations, and to raise the debt limit. We are in a constitutional crisis.
With this deadlock, consider the following probabilities:
1 — There will be no agreement on a continuing resolution before 15 October, the next payday for government employees (0.8 probability).
2 — The debt limit will not be raised by 15 October, two days before the ceiling is reached (0.5 probability).
3 — If the debt limit is not raised, the Department of the Treasury will identify further extraordinary means to extend the debt limit for at most two more weeks through the end of October (0.4 probability).
4 — Come 1 November the U.S. government will not pay some of its bills, perhaps things like Medicare reimbursements and utilities of some federal facilities (0.2 probability).
As the above probabilities play out, the following scenario becomes more likely:
- Government agencies will be told to identify the absolute minimum skeleton crew required to maintain public safety and security. Courts will shutdown.
- Plans for the use of National Guard and other military units to protect abandoned federal facilities will be established.
- The government will announce a prioritization plan that will focus on paying many items not affected by the continuing resolution such as social security, veterans benefits, and interest payments on government debt.
- It is highly unlikely, a virtually nil probability, that the U.S. Government will default on its debt. Rather than allow even a temporary default, it is likely that as the ultimate debt limit is approached, Congress will pass incremental increases in the debt ceiling to assure world markets of a commitment not to default.
Federal agencies should assume a prolonged governmental shutdown which may require mothballing some facilities that current continuity of operations (COOP) plans assume will stay operational. State and local governments, and businesses that depend on federal data and federal IT systems should assume that data will not be available for up to two months.
This scenario is not the absolute worst case. Rather it is a worst probable case. In 2010 and 2011, the Belgian government was deadlocked for over a year, but a caretaker government was able to pass a budget and continue running governmental services until a new government could be formed. The U.S. Government constitutionally does not have that flexibility and it is mammothly consequential to the global economy, both of which mitigate against a prolonged constitutional deadlock, but also magnify the shock of one.
Category: public policy Strategic Planning Uncategorized Tags:
by French Caldwell | July 17, 2013 | 2 Comments
Colleagues today were discussing again the Snowden revelations about service providers giving governments access to digital business and social media data. One colleague suggested that we should not use the term back door in this context since by the traditional IT security definition this would imply that government agencies had direct access to the operational systems of service providers.
That’s a good point. Another way to think about the access for governments is that it’s the back screen door that is left unlocked. The door to the house remains locked. Facebook, Yahoo and others are putting out things on the back porch that the government milkman can pick up.
When talking to relatives and friends, they seem okay with that. But when I raise to them that if Facebook is doing that for NSA, don’t you think they are doing it for other governments, then they get a bit nervous.
But they still insist that they don’t put anything on Facebook that would get them in trouble. And then I ask, are all your friends doing the same? And what about their friends? What if you get scooped up in an investigation because you have a relationship, even 2nd or 3rd degree, with someone else? What if you were denied a clearance on that basis, or a job?
I guess we just don’t remember history.
Category: Cybersecurity public policy Social Technology Uncategorized Tags:
by French Caldwell | May 23, 2013 | 1 Comment
As John Wheeler and I work on the updated Enterprise GRC Platform magic quadrant, I wonder what has happened to many of the vendors that used to brief us. Actually, I know where they are, and now and then I’ll see them at a trade show, or shoot them an e-mail asking for an update. I always tell these vendors to make sure they stay in touch with, at a minimum, an annual briefing. Some do, some don’t.
Not keeping the analysts up to date is a mistake. Everyday I recommend vendors to clients that are looking for solutions, and often those recommendations include vendors who have a special capability, industry domain knowledge, or geographic focus, but who do not meet all the magic quadrant inclusion criteria.
Another thing I do is make sure I include vendors in other research, such as hype cycles. For instance in the enterprise GRC platforms profile on the GRC hype cycle, I include vendors who have updated me in the last year, and I remove any who have not. Same for the continuous controls monitoring profile. So the best way to get yourself removed from the “example vendors” on the hype cycle is to make sure you do not brief the analysts.
Vendors are also often mentioned in technology overview notes. Sure, I’ll reach out to try to get them to brief me for the third party risk management and social GRC notes I’m working on, but could I miss a particular vendor because they have not kept in touch? Yes, I could.
Category: Uncategorized Tags:
by French Caldwell | May 1, 2013 | 1 Comment
I just returned from the MetricStream GRC Summit in Las Vegas where I presented a keynote on risk management and performance. The summit was very well planned, organized, and executed. The speakers and panel participants talked not just theory but provided practical examples of the benefits and challenges of using GRC technologies to improve their risk management and compliance programs.
Last week I made a similar keynote to the Institute of Internal Auditors Quebec chapter. In both keynotes, I focused on the ERM/GRC blueprint concept that John Wheeler and I published in March. This blueprint provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. After each session, attendees asked if I could meet with their boards of directors and share this concept and the strategic drivers of GRC. It’s exciting to see this very positive reaction to the idea that GRC can positively impact business value creation.
In a sidebar conversation at the MetricStream summit, an investor told me that he’s excited that GRC is becoming a true risk management platform that can integrate with processes throughout a company – he sees it as the next ERP. I agree the GRC marketplace is a good investment, but GRC platforms are not going to become super embedded in the enterprise by orchestrating risk management – they will do so by orchestrating business performance. Some vendors are starting to recognize this, and more will follow. In less than three years, all leading GRC vendors will support integrated performance and risk management.
PS — At the MetricStream GRC summit, putting my colleague Paul Proctor on a panel with Network Frontier’s Dorian Cougias was a stroke of genius — no one in that non-IT audience could understand the security geek-speak those two got into, but they were so entertaining that no one cared.
Category: GRC Risk Management Uncategorized Tags:
by French Caldwell | February 6, 2013 | Comments Off
Even as the economic recovery gains momentum, risk management and compliance are still growing in importance. This trend should continue until there is a shift politically and culturally toward deregulation. In the Gartner CEO survey, regulatory risk was ranked as the number one business risk, and in the Gartner Forbes Board survey, risk management, legal and compliance were areas least likely to be cut. The hiring trends reported in this CFO article bear out that demand for risk management and compliance professionals is very strong.
Six Finance Jobs Ripe for Hiring in 2013
Hiring | February 05, 2013 | CFO.com | US What finance positions in the financial services industry will be hot in 2013? While economic and political uncertainty held back job growth in 2012, this year hiring activity is expected to be strong in six areas in particular, according to a new report from…
[Read more →]
Category: compliance Legal IT Risk Management Tags:
by French Caldwell | January 30, 2013 | Comments Off
I’m on the road this week — first Boston for client visits and then PwC’s industry analyst summit, and now New York for a day at the LegalTech conference. What struck me most with PwC is how they were talking SMAC — the convergence of social, mobile, analytic and cloud technologies — what Gartner calls the Nexus of Forces. All the consulting firms are looking at how they can take advantage of this convergence and most are focusing on marketing as the buyer. What was different about PwC’s SMAC is that they see major dislocation for business models, and hence the opportunity for digital transformation engagements across the enterprise, not just with marketing. At the same time the Nexus is affecting PwC’s business model as well, and to grow they are focusing on how to take advantage of the consulting market consolidation.
Now at LegalTech, it’s easy to see that the legal profession is being hit hard by the Nexus. Technology vendors are responding to new social compliance demands, and the challenges of discovery of social media. And law firms are seeing emerging legal services, and a move toward do-it-yourself technologies for corporate counsel. But the bigger long term issue for corporate counsel and law firms is that SMAC technologies are changing the very way that people engage with corporations and governments, and hence corporate business models and systems of government must rapidly change or they will fail. This is a major challenge for corporate counsels whose basic role is to ensure that their companies and agencies are in compliance with regulations and laws.
Complicating the matter is that corporate counsels are not well supported by the IT organization. A survey by Gartner and ALM showed that 80% of Chief Legal Officers say that the legal department has no formal support from the IT organization. This will only further complicate digital transformation for those companies, and inhibits the CLO’s ability to protect the company legally through a period of tremendous business disruption.
At Gartner, we’ve formed a collaborative working group of analysts who are looking at the challenges and solutions for legal IT support. This group is already producing research on legal IT support — storage and archiving, e-discovery, social media compliance, social risk management, enterprise legal management, GRC and more. And we look forward to working with CIOs and other IT leaders who are building the architectures to better support the CLO.
Category: Cloud compliance Legal IT Social Technology Tags:
by French Caldwell | January 25, 2013 | 1 Comment
I’ve read through new draft guidance from U.S. financial services regulators on the use of social media. What struck me most is that instead of taking a compliance and control point of view, it talks instead of risks, and the need to ensure that social media risks are included in your risk management program. That’s not to say that FSIs should take the guidance as merely advisory – as I learned in the Navy, a suggestion from a senior officer is an order.
So here a few of the orders from the draft guidance:
- Although this guidance does not impose additional obligations on financial institutions, as with any new process or product channel, financial institutions must manage potential risks associated with social media usage and access
- The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing
- Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate
- Components of a risk management program should include the following:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance
- A due diligence process for selecting and managing third-party service provider relationships
- An employee training program
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance
- Appropriate reporting to the financial institution’s board of directors or senior management
And the last sentence of the draft is a comprehensive mandate — As with any product channel, financial institutions must manage potential risks to the financial institution and consumers by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within this guidance.
What this all means for FSIs is that in the next couple of years, you will have regulators examining your social media risk management programs. Sure, right now they’ve got plenty to keep them busy – Dodd Frank is only about a third done. But let’s not forget, there’s a new kid in town, the Consumer Finance Protection Board; in the social media risk area they don’t face a lot of competition from other regulators – what a great place to carve out quickly some new turf.
CIOs, start working now with your legal counsel and government affairs to draft your comments. And for Gartner clients, I’d recommend that before you submit the comments, you run them by us. My colleagues, Stessa Cohen, Carol Rozwell, Andrew Walls, and I who are tracking social compliance and risk management are pleased to talk with you and provide our feedback.
Some Recommended Reading:
Gartner Fellows Interview With Patricia Flynn, Vice President at Fidelity Investments: Managing Social Media Compliance
Social Media Best Practices That Deliver Bank CEO Priorities
Use Gartner’s Social Business Program Maturity Model to Plan Your Next Move
Security Tools for Control of Social Media Usage
Category: compliance public policy Risk Management Social Technology Tags: