There are countless lessons we will learn from the ongoing COVID-19 pandemic, the value of a risk management program being just one.
To have an effective risk management program, security and compliance teams should continuously analyze the people, processes and technologies identified as mission- and business-essential during a crisis; and ensure this information is reflected in each system security plan. It is also essential to expand or create an integrated risk management program that is separate from (but complementary to) a compliance program, and adaptable to changes in circumstance.
Over the past several years, the security and compliance industry has stressed the importance of communication up and down the chain. Common forms of information delivery up the chain are scorecards, dashboards and other graphics. These hypnotic visuals attempt to translate the relationship between system vulnerabilities and business objectives, but rarely hit the intended mark. In the midst of a global pandemic, everyone in IT is awake and talking about the new challenges to our security postures. It has never been more important to evaluate our systems and the relationships they have to our lines of business.
Don’t get me wrong, compliance scorecards are developed with the best of intention. However, in times like this, we realize that the red, amber and green on our scorecard contributes little to the system’s ability to support continuity of operations in times of crisis. What do I mean by this? Ask any information system security officer supporting an assessment and authorization, or A&A, effort what their system categorization is, and they will confidently tell you. Ask them to describe (without using low, moderate or high) what impact the system has on the organization, and you will likely get a rehash of the system’s description. Although the description will include a synopsis of the system’s overall purpose, it will most likely be missing the “so what” factor—that is, the impact the system has on the organization. This is not their fault, as many information system security officers don’t have the access to leadership to obtain this information.
This is a problem, because in times of crisis, leaders want to know what is mission- and business-essential in order to make critical and swift decisions. They need to know what they can live without and what they need to elevate in terms of priority and resources. They don’t care about the patch level. In times like these, while important, patching is assumed, preventative maintenance.
Getting Back to the Real Purpose of an ATO
In my opinion, we have walked away from the original intent of authorization to operate, or ATO. Traditionally, the high-level data points collected for an ATO have always been:
- What is the system and associated data?
- How important is the system and data to the mission and business objectives?
- Is it secure enough to complete its mission and business objectives?
- What are the liabilities and risk to the organization for operating (or not operating) the system?
Instead of focusing on these key pieces of information that help leaders make decisions, the emphasis has been placed on preventative maintenance. Again, ensuring we follow our organization’s security program and meet the necessary security benchmarks is necessary to be confident in our systems. However, if we do not have the answers to the bullets above we are not managing risk—we are checking boxes.
Compliance is a single living organism in the ecosystem of risk management. To ensure we maintain readiness and viability, we need to stop thinking that an A&A equals integrated risk management. Although this is not solely an IT issue, with IT holding the A&A stick, we have a responsibility to engage security and risk management leaders across the organization if we ever want our “package” to mean something and ensure mission continuity is at the forefront of the risk management program.
Logging your wins and losses during the current crisis presents an opportunity to get buy-in across your business units, and distribute the risk management load to pave the way for risk management that presents value to your business and mission.
Gianna Price is a compliance subject matter expert for Telos Corporation.