Risk management is becoming increasingly complicated, thanks to the growing volume and complexity of security threats, and it is leaving many organizations awash in security risk data without the means for assessing or contextualizing its potential business impact.
According to a recent report from the ERM Initiative of North Carolina State University’s Poole College of Management and the American Institute of Certified Public Accountants (AICPA), two-thirds of 474 senior executives surveyed have recently experienced an “operational surprise” due to a risk they did not adequately anticipate. Worse, only 22 percent of respondents consider their risk management practices “mature” or “robust,” which represents a decline in maturity over the past two years.
Enterprise cloud applications provider Workday was one such organization struggling to translate its mounting security risk data into actionable business initiatives — until it developed an innovative risk management tool that not only scores and prioritizes risks, it translates risk data into language business leaders can understand and use to inform strategic priorities.
Translating risk data into business initiatives
When your business centers on hosting human resources and financial management data, security risk assessment is a core part of your mission. What Workday has found, however, is that translating risk data into actionable business initiatives is challenging when communication with business leadership about risks and risk context breaks down.
“We were great at capturing [security risk data] and great at talking about it, but not in language that was understandable for supporting the business,” says Pat Casey, director of information security at Workday. “We’d go to the business leadership, and they’d ask questions that didn’t relate to the data we had. It was hard to have the right conversations that we needed to have around risk and how to mitigate it.”
Plus, Workday’s registry of security risks itself left something to be desired, says Josh DeFigueiredo, Workday’s vice president and chief information security officer.
“Basically, it was a beefed-up Excel spreadsheet we created internally,” DeFigueiredo says. “It was a lot of manual entry, it didn’t scale well, and it didn’t provide visibility across the entire organization for executives who needed to access the data.”
The risk register’s static presentation gave no contextual insights into the risks it listed, nor did it assess the potential business impact, Casey says. As a result, the team had to develop criteria for presenting risk in laymen’s terms so that business leadership could better understand.
“Presenting a list of risks to the business was challenging, as they found it difficult to get context around them,” Casey says. “Business management and the C-level executives came to us and said, ‘We need a solution in place to help with this.’”
So the information security/risk management (ISRM) team enlisted Workday’s security systems reliability engineering (SSRE) to help establish a scalable, easily accessible tool that could be built on an open platform and be extended to a number of different business units.
“It needed to support our internal audit functions, internal risk management and compliance,” Casey says.
Workday was already using Splunk for reporting and alerts, and the fact that the teams were already skilled in Splunk made it an intriguing possibility, Casey says. So the teams went about exploring how Splunk could be used to solve Workday’s risk management issues.
“We already had our security risk data living in Splunk,” Casey says. “But we didn’t realize how that could be used in this way, even though a lot of the data lived there. The SSRE team felt this was a very attractive solution. They promised it could be done quickly, affordably, without exhausting our internal resources. It was also exciting, and challenging, to take existing tech and use it for something different than it was intended for.”
The resulting risk management tool (RMT), which received a CIO 100 Award in IT excellence, was the first time Splunk had ever been used in this way, Casey says. The tool, which includes a searchable database of risk data and a customizable analysis engine that scores and prioritizes risks, can highlight trends to draw attention to areas that need investment and model how mitigation efforts will reduce future risk. And its integrated “riskometer” provides business leaders with instant risk scores for assessing risk priorities, offering links to external sources that contain details of mitigating projects.
“The tool allowed us to present data in a format the business could engage with; for example, allowing for modeling of future risk scores when discussing security investments,” Casey says.
Integrating teams and innovating with what you already have
To complete the project, Workday’s ISRM and SSRE teams had to embark on “a bit of cross-functional learning,” Casey says. The ISRM team focuses mainly on high-level security strategy, while SSRE is much more technical.
“Our risk management people aren’t engineers; we were integrating the teams with SSRE, who are engineers. Getting them to work together was a bit of a challenge, and it did take some time for both sides to understand what the others were about, but at the end of the day, both of those teams fall under the same umbrella and they work really well together,” DeFigueiredo says.
Another challenge was convincing skeptics that using Splunk in a way that it had never been used before was the right move — a decision that was both exciting and nerve-wracking, DiFigueiredo says.
“Honestly, even those of us who were behind it were a bit skeptical — some people were saying, ‘Why don’t you use X, Y and Z, that’s built to do this?’” he says. “And getting past that myopic view and saying, look, those tools are expensive, they’re hard to integrate and difficult to use. They have features we don’t need and almost too much functionality for our purposes. We can make this work, on this platform.’”
Once those challenges were overcome, everything moved quickly. The teams had a minimum viable product (MVP) in two months, the speed of which introduced another challenge, says Casey.
“People really wanted to use it immediately after MVP,” Casey says. “Managing expectations around what was possible was unanticipated; we had people telling us, ‘This is perfect, it’s just what we needed, why would you want to do anything more?’ And so, we had to go back and say, ‘We have more things we could do; let’s take an additional three months and build that functionality out,’” he says.
The entire process took between 12 and 18 months, says DiFigueiredo, wrapping up in June 2016.
“The results have been phenomenal. We now have a centralized, scalable, visible solution that allows us to calculate risk systematically based on specific criteria,” he says.
Prior to launching the RMT, only three members of the security team reviewed risks with any frequency, Casey says. Now there are more than 30 users. And that doesn’t take into account the broader audience across the business that regularly consumes the output of the RMT, he says.
Workday’s ability to reduce high risks has improved 150 percent over 2016. Other areas of the business are exploring how to adapt the solution for their own needs, Casey says.
“Now that we have this up, running, and working really well, we can extend the solution to other parts of the business, like compliance and internal audit. Once we extend this, as a business unit owner, I can log in, select my organization and see all of the issues, findings, requirements for compliance that I need to address,” he says.
Casey says IT leaders shouldn’t be afraid to initiate difficult conversations about risk and security and how to scale solutions across all areas of the business. DiFiguiredo adds that doing so means involving not only senior management, but also department heads and IT leadership across other business units.
It’s also key to think outside the box, even if that means looking in your own backyard, Casey says.
“Think about what technology you already have and see how you can apply that in different ways,” he says. “But also, move quickly when you get buy-in. For us, being able to deliver on this within two months and have it be such a resounding success was key — and it builds huge credibility with management.”
DiFigueiredo agrees: “The solution could be right in front of your eyes; a solution that’s purpose-built for one thing could actually be applied to other areas of the business.”