Management and executives must make decisions based on real risks affecting the mission and business processes of their user organization. Therefore, they must solicit advice from their risk experts, such as risk managers and IT auditors. However, the experts are bogged down with details at a (very) low operational level and may not fully understand the mission and business. The executive and risk expert live in different ‘worlds’, communicating risks each in their own language and without a context understandable to each other.
As part of the solution direction, this paper suggests education for ‘risk experts’, who have to provide understandable risk-based information to executives and senior management, and education for IT auditors, who have to judge the existing measures from a mission and business perspective. The goal is to create more valuable information for the risk-based decision-making process through education.
The IT auditor in 2020
Within the profession of information security and IT-audit, possible improvements of the effectiveness of risk management are discussed, as part of the debate on ‘The IT auditor in 2020’. Our vision is that one of the pivotal aspects is to improve education for the professionals, in order to be capable to understand the concerns of executives and to speak their language.
Corporate Governance dictates that executives realize the mission of an organization, considering the real risks. Therefore, executives must understand and assess the risks and their possible impact on the business processes. All entities face uncertainty and the challenge for senior management is to determine how much uncertainty can be accepted. [FLAH14] One should note there is a definite distinction between gambling on risk, where the odds are exogenously determined and uncontrollable, and acting on risk assessments where experience or pertinent information reduces the uncertainty. [RIAB12]
Executives and Senior Management
Firstly, taking and managing risks is undoubtedly a responsibility of executives and senior management. [ISAC12] It turns out many managers fail in this context of identifying the real risks and acting on it, since they tend to be generalists. [NIST11][STRA98] The risks are (1) not identified, (2) not understood, (3) ignored or (4), have become lost between those with knowledge and the decision maker. [RIAB12]
In the specific case of IT risks, information security and privacy protection, this abyss is still more yawning. [STRA98] Historically, executives and senior managers have a very narrow view of information security, either as a technical matter or in a ‘stovepipe’ that was independent of organizational risk. [NIST10] This limited perspective often results in inadequate consideration of how information security risk, like other organizational risks, affects the likelihood of organizations successfully carrying out their missions and business functions. [NIST11]
Although most organizations become increasingly dependent on IT, executives and senior management still tend to ignore the importance of appropriate measures for information security. [SKAL13] Security is still not on the top of their priority list. [RIAB12] They focus on the functionality of the information systems and how to make money with data while security is a non-functional. They are reluctantly forced to spend attention, money and manpower on this non-functional, while it does not contribute to their profit.
The underlying problem is that managers often lack the knowledge and expertise regarding the topic. [STRA98] However, one cannot expect senior managers to master all domains of risk. [NIST11] Senior management therefore needs the support of skilled risk experts who make the real risks visible, understandable and quantifiable. Information security risk management requires the best collective judgments of specialists and expert groups within the organization. It is imperative that managers at all levels should understand their responsibilities, and are held accountable for acquiring the appropriate skills and experience and collect the knowledge required. [NIST11] However, it is at this point where the risk management process fails.
Risk Managers and Risk Experts
Secondly, risk managers and risk experts are not always assisting senior management and executives properly. A decision maker should consult experts who perform the risk assessment activities. Although extensive and thorough literature can be found on accepted risk management approaches [NIST10] [NIST11] [NIST12] [NIST13] [PELT05], it seems that the real risks to the organization performing its mission are often not understood.
Possible causes of this failure can be found in the literature, such as that these generally accepted approaches demand very detailed knowledge about the IT security domain and the actual company environment. [EKEL09] Although the approaches provide detailed information about potential threats, vulnerabilities, and countermeasures, they lack the required organizational context and guidelines. This lack leads to risk experts focusing on technological and procedural aspects rather than on mission and business aspects, resulting in poor risk-based decisions. [FLAH14] [PFEF06] Without this organizational knowledge and expertise, it is almost impossible to consider the complex relation between IT security risks and the organization’s mission. [EKEL09] Moreover, the expert often is not capable to explain the risks in language and context understandable to the executive level.
In general, many executives and senior managers are generalists involved in realizing the mission but with only limited sense of acting on risk information, while many risk experts work at too detailed a level, and fail to identify the real risks for the mission and to communicate these to the executives and managers. Since management lacks the knowledge and often is poorly informed, they cannot make correct risk-based decisions. It seems that executives and risk managers live in different ‘worlds’.
Professionals should understand the concerns of executives and speak their language
Identification of the problem, twisted organizations
Every person handles real and perceived risks in their own way. There is no common approach to decision making, due to personal attitudes and specific circumstances. In other words, ‘a person hears what they want to hear’. This means that recommendations are ignored when they clash with the beliefs and expectations of the decision maker. [PFEF06]
Based on a Dutch study by Hart, we can define three distinct areas for acting on signals and recommendations. [HART12] These are (1) the world of the executives, i.e. the Board and division directors carrying out the mission, (2) the world of the business processes where the customers are serviced and the money is earned, and (3) the world of the systems and procedures, supporting the business processes. We use the following names for these three areas, the World of Mission, the Business World and the System World. See figure 1.
Everybody lives in their own world. We discuss these three worlds, focusing on communication issues between them due to their specific ‘languages’.
The World of Mission
The executives are expected to define the strategy of the organization and to guide management in motivating the staff to reach the business goals. They set ‘the tone at the top’. The executives deal with the mission and communicate with their peers, such as their board of supervisors, regulators, accountants, executives of other organizations and government agencies and their division directors. [HART12] [SKAL13]
In fact, executives live in closed box 1. They often have only an implicit connection to the Business World and hardly have any direct connection to the System World. They are concerned about the continuity of their organization, laws and decisions by Parliament affecting the business positions, their own career, et cetera. Although the executives understand risks within the World of Mission, they are not always fully aware of the threats and risks arising from the two underlying worlds potentially impacting the mission. They must assume that lower managers have taken appropriate measures, but cannot be sure they did.
The Business World
The real world is the Business World, where the organization meets the customers, achieves business goals and money is earned. This world is governed by strict objectives such as market position, customer base, and profit. Therefore, senior management in the Business World has clear responsibilities. Their career depends on the realization of their key performance indicators and profit objectives. [HART12]
The Business World needs support from systems and procedures to create a manageable and controlled environment. The System World realizes a major part of this support.
Senior management of the Business World lives in their own closed box 2 and is heavily involved with their own concerns about customer and staff retention, managing staff, solving personal problems of the staff, fulfilling their profitability obligations, ensuring customer satisfaction, et cetera. They know the threats and risks within their own box but are hardly aware of the concerns of the executives in the World of Mission or the problems within the System World. [SKAL13]
The System World
The System World is, in fact, a projection of the Business World, in the same way that a street map represents the city in which we live. In the System World the procedures, forms, information systems, databases, websites, standards, et cetera, are developed, maintained and enforced. Often, there is some friction between the Business World, striving for flexibility and profitability, and the System World, always looking for perfection and assurance. [HART12]
In the System World, we often find highly specialized experts around the systems, being involved in the procedures. They support the business with quality assurance and metrics, measures for functionality and continuity, facilities, et cetera. This world is also a closed box, indicated in the figure as box 3. They are only partially aware of what is relevant for the Business World, due to limited contacts with box 2, and are often completely unaware of the concerns within box 1 of the World of Mission, due to the distance.
Evaluation of the interaction between the worlds
Many organizations assume that it suffices to have some risk managers and experts physically located within the Business World. For example banks and insurance companies intensively use risk management for their market position, the impact of new laws, external risks, financial processes, valuation of assets, et cetera. These risk managers are assumed to support purely the business processes. However, business managers perceive these risk managers and experts as acting from a System World perspective since they primarily verify the procedures and the use of the systems as defined by a framework. The attitude of many of these experts in the System World is ‘rather be safe than sorry’, where managers in the Business World have a more risk prone attitude. [RIAB12]
Sometimes organizations believe that ‘optimizing’ the System World via more management information systems, procedures, policies, frameworks et cetera, is beneficial to achieve the goals of the Business World. However, too much focus on the System World results in more ‘System Thinking’. The logical consequence is that one creates more distance between the World of Mission and the Business World. [HART12] So, problem number one is ‘System Thinking’.
A second group of risk managers and experts within the System World focuses on the facilitating (sub)organizations, such as IT. Here we also have IT auditors and operational auditors, providing assurance on the processes running within the System World and only partly on the processes within the Business World.
The problem here is that the activities of these groups are limited to their own view. [HART12] [SKAL13] An IT auditor writes a report on compliance with certain standards, which are used primarily in the System World. The language used by the IT auditor is dedicated to these standards. The control objectives, phrases and words used are either not recognized in the World of Mission or Business World, or these worlds fail to understand the impact of the findings on their business processes. So, the second problem is the use of ‘System Language’. See figure 2.
In theory, risk management should be organized top-down. In practice, many organizations lack such a top-down approach. The level at which risk management and IT-audit are performed is often primarily within the System World or better said, from a ‘System Thinking’ perspective and speaking ‘System Language’ without regards for the interests and intention of the organization. In such a case, we may speak about a twisted organization, often without an integral approach to risk management. The World of Mission and the Business World will only understand and accept a risk if they recognize the risk as affecting their mission and business processes. Many of the risks signaled from within the System World fail in this respect.
The attitude of many experts in the system world is better safe than sorry
Tiered Approach to Information Security Risk Assessment
The US National Institute of Standards and Technology (NIST) provides guidelines to ensure that the organization’s risk management process is conducted effectively top-down across three tiers, i.e. (1) governance, (2) mission, business processes and information flows, and (3) information systems. [NIST10] [NIST11] The three Tiers can be described as in figure 3.
NIST uses a structured approach. However, the NIST documents are theory and often are not applied as intended by their authors. The primary problem is the mismatch between the three Tiers and the three worlds defined in this paper. In practice, many controls are managed at the detailed level of the System World, which fails to involve the context of the World of Mission and the Business World in an effective way.
Tier 1: Governance
The first component of risk management addresses how organizations establish a risk context, describing the environment in which risk-based decisions are made. Tier 1 addresses risk from an organizational perspective by establishing and implementing governance structures that are consistent with the strategic goals and objectives of organizations and the requirements defined by laws, directives, policies, regulations, standards, missions and business functions. In our model, this is the World of Mission. [HART12]
Tier 2: Mission and Business Process
The second component of the risk management framework addresses how organizations assess risk in the context of the organization at Tier 1. NIST states: Tier 2 includes prioritizing missions and business processes with respect to the goals and objectives of the organization. This is translated into an enterprise architecture with an embedded information security architecture. [NIST11]
In our experience risk management is hardly performed in the Business World but is delegated to the experts in the System World. Moreover, many risk managers and IT auditors are not trained to understand Tier 1 and 2 fully. So in practice Tier 2 is often handled in isolation within the System World and from a ‘System Thinking’ perspective only.
Tier 3: Information Systems
The third level addresses risk from an information system perspective and is guided by the risk context, risk decisions, and risk activities at Tiers 1 and 2. NIST states: Tier 3 includes activities such as categorizing organizational information systems and allocating security controls to organizational information systems. This includes the environments in which those systems operate, consistent with the organization’s established enterprise architecture and embedded information security architecture’. [NIST11]
Standards are used, such as the ISAE 3402 assurance report, ISO 27001:2013 ‘Information Security Management System’ [ISO13] and NIST Special Publication 800-53 ‘Information Security Requirements for Federal Information Systems’ [NIST13]. These standards contain detailed measures and specifications, convenient only for experienced IT auditors. Their reports contain so many technical and procedural details that managers within the Business World can hardly understand it, let alone can assess their impact on the business processes. Such a bottom-up approach fails to deliver a message to the World of Mission. These professional experts are usually reporting in ‘System Language’.
Although NIST proposes a top-down process for risk management across three tiers, in practice it does not work because the experts live in the ‘System World’ handling both Tier 2 and 3 from a same ‘System Thinking’ perspective, not supported nor understood by those within the Business World and the World of Mission.
In this paper we defined the problem that an organization is an environment consisting of different worlds. These different worlds are in fact disjunctive areas with an explicit or implicit relation. The relation and communication between the worlds is hampered due to inherent characteristics of experts and auditors living in the System World. Because of their natural interest in details at a low operational level, the Business World and World of Mission accuse the experts in the System World of speaking an unintelligible System Language and not thinking in terms of the interests or mission of the organization, due to System Thinking. We believe that when this problem definition is broadly recognized within the profession, there is a variety of solution directions that can be defined, e.g., with the aid of education. Our education-oriented approach focuses on the risk experts and IT auditors. Our goal is to create awareness, so that the upcoming professionals will identify the communication problem between different worlds in an early stage. For them, it is crucial to understand the specific environments and intention of the organization and to speak in a language understandable to their customer. In this way we avoid the misconceptions about the added value of the risk experts and IT auditors.
We do not have any doubts about the indispensable role of the risk experts and IT auditors. Moreover, we believe that the demand for their expertise related to information and digital technology will only increase in this digital era. We shared and discussed our vision among students, professionals, colleagues and participated in working groups. At VU University we dedicated a seminar to the discussion ‘IT and Audit in the Coming Decade’, where the relevance of the future IT auditing was discussed. We would like to share some of the statements made by the speakers and the public at our seminar:
- ‘Experts should stay away from the identity discussion. No matter if you are a banana or a pear, choose to be one’.
- ‘Do not walk in the shadow of another generic profession, e.g., general IT management, and do not fade. The added value of the IT auditors lies in the core of their profession, i.e. information assurance and privacy protection’.
- ‘There is a great need for experts that truly understand laws and regulations, who understand technology in depth and can act on different levels within organizations. But please, dear IT-auditor, demystify your expertise or profession and speak an understandable language’.
Impact on Curriculum at VU University
The VU University, decided to adapt the curriculum for 2015/2016 by paying more attention to communication for risk managers and IT auditors. The students must become professionals who are able to judge the threats, risks and effectiveness of the existing system measures from a mission and business perspective. [VU16]
The IT Audit, Compliance & Advisory faculty has a diverse group of students, such as junior IT auditors of the Big-4 audit firms, financial corporations and government agencies, and a more specialized group such as penetration testers and risk managers. The current 2½-year curriculum consists of an initial six months of Administrative Organization and Internal Control, similar to the education of accountants. The foundation of IT audit is still to provide assurance to the accountants, so we have to speak an identical language. The second year covers IT Governance, IT Risk Management & Compliance, Application Architecture, Software Development, Project Management, et cetera, in accordance with Cobit 5.0 [ISAC12], and training advisory skills. The third year deals with the technical and organizational infrastructure of IT, i.e. platforms, networks, ITIL processes, et cetera.
It has been decided to extend the second year with six workshops, each taking a full working day, training the students in the World of Mission and the Business World. [VU16] During the workshops they should not act as a risk manager or IT auditor, but as an executive who lives in the hectic and dynamic worlds of the mission and business. They will be trained to handle a large number of important and urgent issues, of which IT risk management is only a minor one. The trainers will be senior managers of multinational corporations and governmental departments, with much experience in providing structure and solutions at boardroom level. Some trainers are Lean Six Sigma Black Belts, who are skilled to eliminate the 7+1 kinds of waste, i.e. defects, overproduction, waiting, +1 non-utilized talent, transportation, inventory, motion and extra-processing (abbreviated as ‘downtime’). They attempt to reduce the ‘System thinking’ as described in this paper, and to stimulate our students moving from using ‘System language’ to formulating in business and mission language by setting the right priorities for their messages to the World of Mission and the Business World. So these risk managers and IT auditors will have a higher added value for senior management and executives.
Education must be adapted to changes in workfields of the professionals. Our world is changing, especially due to the rapid proliferation of IT in the daily life of ordinary people. This has a high impact upon civil authorities and the commercial corporations. More assurance is required about proper use and functioning of IT, which requires better risk management and better methods for IT-auditing.
Both the universities and the organizations of professionals such as NOREA must recognize these changes. They have to educate and coach the professionals, preparing them for the challenges of a society which becomes entirely dependent upon IT. Any disruption of IT will directly imply a disruption of society. So, we must ensure that risk experts and IT auditors have access to those who can make decisions, i.e. senior management of the large organisations and governmental agencies. There they have to speak the proper language, which can be understood in the World of Mission and the Business World.
[EKEL09] Ekelhart, A., Fenz, S., Neubauer, T., Aurum: A Framework for Information Security Risk Management, Hawaii International Conference on System Sciences (HICSS), 2009.
[FLAH14] Flaherty, J.J., Maki, T., Enterprise Risk Management Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission (COSO), September 2014.
[HART12] Hart, W., Verdraaide Organisaties: Terug naar de Bedoeling, (‘Twisted Organizations, Back to the Mission’) (in Dutch) Vakmedianet Deventer, ISBN 978-90-23-20573-5, 2nd ed., 2012.
[ISAC12] ISACA, A Business Framework for the Governance and Management of Enterprise IT, Cobit 5.0, Information System Audit and Control Association (ISACA), 2012.
[ISO13] ISO/IEC 27001:2013, Information Security Management System, Requirements, BSI, 1 October 2013.
[NIST10] NIST Special Publication SP800-37, the Risk Management Framework to federal Information System, A Security Life Cycle Approach, Revision 1, February 2010.
[NIST11] NIST Special Publication SP800-39, Managing Information Security Risk, March 2011.
[NIST12] NIST Special Publication SP800-30, Risk Management Guide for Information Technology Systems – Guide for Applying, Revision 1, September 2012.
[NIST13] NIST Special Publication SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, April 2013.
[PELT05] Peltier, T.R., Information Security Risk Analysis, Taylor & Francis Group, ISBN 0-8493-3346-6, 2nd ed., 2005.
[PFEF06] Pfeffer, J., Sutton, R.I., Evidence-Based Management, Harvard Business Review, January 2006.
[RIAB12] Riaback, A., Managerial Decision Making Under Risk and Uncertainty, IAENG International Journal of Computer Science (IJCS) 32:4, 2012.
[SKAL13] Skalle, H., Hahn, B., Applying Lean, Six Sigma, BPM, and SOA to Drive Business Results, IBM Redguides REDP-4447-01, 18 April 2013.
[STRA98] Straub, D.W., Welke, R.J., Coping with System Risk: Security Planning Models for Management Decision-Making, MIS Quarterly 22:4, 1998.
[VU16] VU University Amsterdam, Post Graduate School. IT Audit, Compliance & Advisory Faculty, Curriculum 2015-2016.