Risk metrics were virtually non-existent three years ago when I took over as Kodak's global IT security and risk manager. The company's risk management process was cumbersome, time-consuming, inconsistent, and subjective; as a result, we were lacking a comprehensive picture of our security posture to the business.

I wanted a security metrics program that not only supported the budgeting and investment process for IT security but also provided an "at-a-glance" view of the overall risk posture. I researched different risk models from the National Infrastructure Advisory Council (NIAC), the National Institute of Standards and Technology (NIST), and Microsoft SFT, and came away with the opinion that their models would not fit our requirements relative to management and overhead.

I decided instead to rely on my previous business experience to develop our current metrics program: a tier-based approach to IT security risk management that uses a set of standard probability and business impact frameworks to provide a lean assessment process. One of the keys to our program's success is that reporting and presentation of security risk metrics is "business-user-friendly."

IT governance, risk and compliance (GRC) has emerged as a unifying theme in aligning risk and the business. The challenges of bringing each silo together are great rivers to cross. However, if approached correctly, such an alignment is achievable. IT GRC programs encompass the implementation of systems and processes to monitor current business activity. They should also determine, set and manage the risk tolerance level for the corporation, identify potential risks, prioritize and manage them. The IT GRC team, meanwhile, should determine what needs to be done to ensure continued compliance and provide a process for corrective action where necessary.

Most importantly, the overall IT GRC program provides a common framework for communication and collaboration. One prerequisite for...

Having an agreed-upon risk management framework is a crucial element in this structure and provides a firm foundation for other discussion. First, it provides a simple basis for presenting complex risk data. It is also used to present a holistic risk-based view of the security posture for the entire organization. It also serves as an effective tool to translate operational and tactical risk data into meaningful business information, which is indispensible for communicating within the various levels of management. Having this common view of the risk posture helps drive data-based decisions and can be used for both short- and long-term budgeting decisions.

For Kodak, our tier-based approach does all this and more, including a formalized assessment and acceptance process that engages appropriate levels of management based on the tier level of the risk. In addition, a monthly dashboard is published that provides an "at-a-glance" view of the current risk posture.

Kodak's tier-based risk model is based on three levels of risk:

• Tier 1 is the highest risk level and represents threats that you never want to occur in your environment.
• Tier 2 risks represent a moderate level of risk; for these, it is important to understand what the threat is doing. For example, if it is growing and may soon become a top-tier risk, then quick action is needed in order to mitigate or eliminate it.
• Tier 3 risks represent the lowest level and in many cases are considered an acceptable level of risk. In order to calculate the risk tier, the probability is assessed against the business impact. (See Fig. 1.)

Our probability and business impact frameworks, meanwhile, quickly assess the impact of risk. Each is organized into several topical areas, with their own set of statements that represent various risk levels from high to low. To assess probability or business impact, a user highlights which statements are true and makes a subjective determination based upon all factors presented. This results in a score from 0 to 10, which can then be plotted to determine tier level. The assessment process is not perfect; it's designed to get the risk into the appropriate bucket so that it can be dealt with appropriately. If the risk is borderline, it will typically be pushed into the higher tier level.

Kodak's risk program approval/acceptance process is based on tier levels (see Fig. 2). For example, there is no reason for senior vice presidents to be involved in discussions regarding tier 3 risk, however only an officer of the company should be accepting the remediation plan for a tier 1 risk. Previous risk programs at Kodak required several senior managers to sign off on remediation, regardless of risk.

It is important to consider the entire range of risks holistically to determine if the aggregate represents a risk level that is above the tolerance of the corporation. Having a dashboard that shows collective risks is an important tool for communicating overall security posture to management.

Taking a business-centric view in developing an IT GRC program is essential to gaining buy-in and support from the various levels of management. Engage all parties that have a vested interest in the development of the IT GRC program; this team should include members from senior management and business management, the compliance officer, privacy officer, auditing group, application owners, and infrastructure owners. And be patient. Building a strong and comprehensive GRC program takes time and will be enhanced as you go forward as a living document and plan.

BRUCE JONES
TITLE Chief information security officer/ Head of global IT security and risk
COMPANY Kodak
INDUSTRY Manufacturing
KUDOS

• Member of internal IT risk council and information security advisory boards
• Highest ranking security and risk management executive at Kodak
• Runs a team of six responsible for the security of 27,000 internal users
• Created Kodak's Global IT Security and Risk Management Program
• Mandates that all risk decisions are made in alignment with business goals and risks explained in terms of impact to the business
• Implemented an identity-based encrypted email system to communicate securely with third parties and partners
• Developed an IT security architecture to drive standardization across IT security tools and infrastructure
• Eliminated $2M in IT support expenses
• Developed Web-based IT security training course that was deployed in 11 languages
• To meet Sarbanes-Oxley segregation of duties mandates, managed team of 500 to remediate 100,000 segregation of duties conflicts and remediate 13,000 users with excessive system access

EDITOR'S PICK
Bruce Jones is a 27-year veteran of Kodak and his experience is gold in this industry. His efforts around risk management and compliance directly improve Kodak's bottom line, saving substantial money, all while standardizing the way information security is managed and deployed company-wide.