Scorecards and Dashboards (in IT Risk Solutions)
After the success of “The Ostrich Syndrome“, Risk Management Executive asked me to write another article.Â This time I chose to speak on something near and dear to my heart: the need for executive dashboards to know how much better (or worse) they are doing today vs. last year.Â Here it is, as appeared in June 2005:
Scorecards and Dashboards
The business world today faces two, often conflicting, demands for security.Â The first is Return-on-investment (ROI) and the other is compliance.Â Whereas compliance is regulation driven, ROI is the reason-dâ€™Ãªtre of business.Â Any business.
When we approach risk management, we must consider several techniques that we can use.Â We can use risk avoidance which is a technique based on early recognition of potential risk.Â We can use risk mitigation, which is a method to handle risk once we realize we have that specific risk.Â Finally, we can also use risk management which really is an over-arching term used to describe various ways to address risk.Â The common thread here, between all these methods, is that we must realize that the Risk exists and we must address it (one way to address it is to ignore it, but thatâ€™s not why YOU are reading this newsletter.)
In business, however, Risk is most welcome.Â Risk is the way business gets done and Risk is the way Rewards are obtained.Â We all know the adage â€œnothing ventured, nothing gainedâ€.Â So, frequently business invites risk upon itself in order to grow and become more profitable.
In order for the business executive to make the right decision, he or she must know their organizationâ€™s position with regard to risk (risk tolerance), its current exposure to risk, and the potential rewards and penalties that might be derived from that risk.
We, as Business Executives with risk mitigation responsibility have a unique opportunity.Â The opportunity we have is that with todayâ€™s technology we can tie our enterpriseâ€™s current exposure â€“ both ROI and compliance driven â€“ to an automated system that can present to us our true Risk Exposure at any given moment and that can track our exposure over time.
Such a tool could be numerical (We are at a â€œ7â€ today vs. â€œ6â€ last year), report card-format (We get a B Plus today), or graphical.Â Such a tool can also compare and contrast systems, sites, organizations, departments and processes.Â This tool can offer histograms, which help track where little change brought a lot of risk or, conversely, a great ROI.Â Finally, such a tool can be used to justify investment in our tools, processes and training.
If your organization does not have such a unified risk management tool, there are four first steps that will help you begin the process to achieve it:
- Assemble your Key Performance Indicators (KPIâ€™s.)Â These are the measurements that you and your organization are responsible to provide
- Decide on the frequency you would like the details available (annual vs. monthly vs. daily vs. hourly vs. to the minute) and in what format (graphical? Numerical?)
- Decide who needs access to the information â€“ is it only you?Â Is it your superiors? Your direct reports?
- Include the three items above in your goals list for this project.
In the next article, we will discuss how to build such tools, how to make sure that they communicate with other systems in the data center, and how to derive information from them in a realistic and dependable manner.
Ariel Silverstone,Â Director at the Office of the CTO at Symantec and formerly the Chief Information Security Officer for Temple University, is a frequently requested speaker and avid writer.
He has been involved in the computer industry for over 17 years, contributed to over 30 published books and has consulted nationally and internationally for Fortune 1000 firms on the implementation of management information systems and networking systems. Over the years, he has designed and set up hundreds of networks , including using all versions of Windows, Netware and many flavors of Unix.