I’m speaking next week at an RSA security conference in Ottawa about how Risk Intelligence can apply to government organizations. Risk Intelligence is about providing aggregated and transparent risk data to enable timely, informed and confident business decisions.
I believe that threat organizations likely have a better view of a business than most businesses have of themselves.
Why is that? The reason is because of misalignment within an organization. There are two factors at play here.
First, misalignment based on organizational structure. Many organizations (government included) are still running in a very siloed, organizational framework, rather than being aligned to support the core services that drive their organization. Threat organizations have a different way of looking at your business. They look through a business architecture lens. They are razor-focused on the organization’s core value, and what products and services carry that value to market.
Threat organizations prey on the organizational divides that are supported by this kind of misalignment. They aren’t bound by organizational discussions.. They aren’t constrained by internal politics, but they are certainly very interested in them. (Not only that, but because the public demands transparency, every access to information request or news story gives threat organizations more and more info, without having to lift a finger.)
Second, misalignment occurs when there is a lack of common risk taxonomy. For every department, group, agency, or office, there exists another language to describe and communicate risk and security information. As long as everyone feels the need to have their own language, threat organizations will be confident that a co-ordinated approach to managing risk within the federal enterprise remains only a intent to take action.
When we talk about Risk Intelligence, it’s about creating an effective governance, risk and compliance (GRC) program, anchored in a common vision to collect aggregated, transparent risk data across an organization, and align the reporting and actions to its central business goals.
There is a bit of good news at the Canadian government level. Nineteen business objectives have been defined that should be used to categorize systems in the federal government. That’s a good start to operating through a common Business Architecture lens, and it’s also the start of developing a common language to talk about risk. Those are some of the first steps to building a proactive risk intelligence program.
What do you think? Is this something you see within your organization? We look forward to hearing about your challenges and approaches at next week’s event in Ottawa.