PHILADELPHIA – As one of the 10 largest retail chains in the world, Target Corp. knows a thing or two about making a successful sale. According to its risk management strategist, a key factor in the success of Target's risk management architecture has also hinged on sales, namely selling risk management methodology to internal stakeholders.
If you don't tell the stakeholders what success means, the risk management program will probably fail, or take a long time.
Michael D. Kelly, Target Corp.
In a session at the 2012 (ISC)2 Security Congress this week, Target Senior Architecture Consultant Michael D. Kelly discussed the information security risk management architecture implementation and maturity process at the Minneapolis-based retail chain. Kelly, a 25-year IT veteran who has been working on Target's risk management program for two and a half years, said one of his first steps, setting expectations, arguably proved most important.
"First of all, you have to define what success is. In my experience building programs like this, most of the work is up front, setting expectations." Kelly said. "If you don't tell the stakeholders what success means, the risk management program will probably fail, or take a long time."
Kelly said it's critical not to over-promise and under-deliver. For example, he said it doesn't make sense to promise executives that organizational risk will decline during a certain period of time, as such a calculation is based on too many factors that lie outside the information security team's control. Instead, he said, it's better to guarantee that the organization will be able to define and assess risk, and take action to reduce that risk when deemed necessary.
Kelly advocated the need for stakeholder and executive buy-in, which includes identifying the business decision makers who will make decisions based on the information the risk management program provides. Stakeholders should know that the goal of the program isn't to eliminate risk, but to manage it, he said.
"All we should really be talking about is managing risk," Kelly said. "That means understanding it, reacting to it consistently, and having consistent processes to treat risk all throughout the life cycle."
However, simply getting management's attention can be a challenge. Attendee Ron Trunk, senior consultant with Chesapeake Netcraftsmen in Arnold, Md., said communicating IT risk management concepts to business leaders can be a challenge.
Trunk said the first obstacle is simply getting management's attention. From there, the communication can be difficult because business leaders don't understand the technology side of risk.
"A lot don't understand the technology or how it's being used and so they can't assess the risk," Trunk said. "So it's left to the technology side, but they don't know the business."
Kelly acknowledged the challenges of bridging the gap between IT security teams and business managers, noting that at Target he was fortunate because he was able to piggyback off of its internal governance team, which was conducting similar work and had already established key relationships with executives.
What can help, Kelly said, is making the program as simple and easy to understand as possible. He emphasized the need for terminology that is precisely defined and used by everyone involved with the program, as well as a consistent focus on defining and measuring success.
"You have to show it to people," Kelly said. "Show them a chart, a table; that will help get buy-in from your stakeholders."
Getting there though can be hard work. Kelly said Target built a 30-page taxonomy of FAQs, terms and processes within its architecture. That has helped technologists, C-level executives and everyone in between speak the same language on risk management.
"That way, your stakeholders understand and they say the same things you say without being prompted," Kelly said. "If you can go to your boss's boss's bosses, and they say the same things you've been saying, that's what I call a measure of success."
However, risk management programs are far from easy. For instance, Kelly said one of the many challenges he has encountered is classifying threats and vulnerabilities as they are discovered. At first, he said, there was some confusion over regarding what was or wasn't a threat, but finally the organization converged on a combination of CVE and SCAP that works well.
Today, Kelly said on a scale of 1-5, the maturity of Target's risk management architecture program is about a 2.5.
"We've got a long ways to go, and it probably won't ever end, but that's a good thing because the maturity will continue to grow as technology changes, and the industry changes these programs will continue to grow."