Slides from a webinar presented by Steve Schlarman (RSA) and Kirk Hogan (Iceberg). An overview of a large financial institution's journey to improve their application risk management process, from spreadsheets to a centralized inventory of risk data, allowing for more confident, informed and effective decisions.
5. 5
APPLICATIONS ARE THE PATH TO DATA
APPLICATION RISK
DATA
Employees Consumers Suppliers
On-Premise MobileCloud
APPLICATIONS
6. 6
APPLICATIONS IN THE ENTERPRISE
508Average # of applications
per enterprise
(Netskope 2014)
22%Percentage of cloud
business-critical apps
invisible to IT department
(Netskope 2014)
>2,000Average # of unsafe
mobile apps installed on
employee devices
(Veracode 2015)
APPLICATION RISK
8. 8
KEY QUESTIONS
APPLICATION RISK
• How many commercial vs. custom applications deployed?
• Where are the applications installed?
On-premise? Cloud? Network? Laptop? Mobile?
• What products/services does the application support?
• How recently has a security assessment been done on each application?
• How often should you re-assess?
• How long does it take to do an assessment?
• How accurate (or how trusted) is your assessment data?
9. 9
SO WHAT?
Why is it crucial to have clear answers on application risk?
Potential impacts:
• Infrastructure failures
• Compliance failures
• Security breaches
• Privacy breaches
• Reduced performance
• Inability to deliver products & services
APPLICATION RISK
10. 10
CHALLENGES
Fragmentation
• Different
assessment
processes across
enterprise (silos)
• Untrained
employees
assessing risk
• Varied focus
Cyber Focus
• Digital shift (incl.
cloud + mobile)
• Increased cyber
security scrutiny
from management &
board
• Focus from audit,
regulators, etc.
Prioritization
• Where do I focus my
resources?
• What applications
are the most critical
to our business?
APPLICATION RISK
11. 11
THE CHALLENGE
APPLICATION RISK
• Large North American bank
• Over 2,000 applications deployed
• Business units own risk management process
• No centralized inventory & inconsistent risk management processes
OBJECTIVES
• Move from spreadsheets to centralized automated tool
• Harmonize risk management process across Lines of Business (LOBs)
• Improve use of resources for managing risk
• Provide better reporting to executive management
12. 12
INVENTORY
APPLICATION RISK
• Baseline: Over 2,000 applications
• Rough inventory in several spreadsheets (no centralized inventory)
• First step was categorization: “Apps that support core businesses processes”
• Identified 1,800 business-critical applications
• 30 business technology risk managers, 6 LOBs, tasked with initial
assessments
• Assessments all done using spreadsheets, with different questionnaires and
risk frameworks for each LOB.
Inventory Harmonization Automation Prioritization
Measure &
Improve
13. 13
HARMONIZATION
APPLICATION RISK
• “AHA” moment: LOBs realize they are all asking similar questions!
• “Consolidate and co-ordinate”
• Reduce dozens of assessment spreadsheets to one common set of
questions; asses based on one common risk framework
• Eventually: One assessment template & one risk “language”
Inventory Harmonization Automation Prioritization
Measure &
Improve
14. 14
IMPORTANCE OF LEADERSHIP
APPLICATION RISK
• “Thou shalt”: Strong support from executive leadership
• Strong leadership = crucial to get alignment between LOBs
• LOBs still own risk, and have autonomy to make decisions;
goal is simply to harmonize the process & framework they’re working under
16. 16
AUTOMATION
APPLICATION RISK
• Deriving meaning from 100’s of spreadsheets is incredibly difficult.
• Bank essentially had “professional linkers” – resources spending most of their
time cross-referencing spreadsheets!
• RSA Archer deployed to centralize an inventory of applications + controls +
evidence/documents.
• First step was simply to convert the excel spreadsheet to a standardized online
questionnaire.
• Result: Faster assessments + useable data
Inventory Harmonization Automation Prioritization
Measure &
Improve
17. 17
PRIORITIZATION
APPLICATION RISK
• Automation + centralization resulted in a clean inventory of information:
applications, controls, assessments.
• Each application rated for risk: 1 to 5 (low to high) plus a weighted risk score
• Now each LOB can prioritize resources to target most critical risks, based on
the most critical business processes.
• Decisions are based on quantitative data, instead of gut feeling
Inventory Harmonization Automation Prioritization
Measure &
Improve
19. 19
BETTER DATA = BETTER REPORTING
APPLICATION RISK
Photo by Julien Haler / used under creative commons license https://www.flickr.com/photos/titlap/2297090390
• Don’t overwhelm the pilot with
everything that’s going on, only
the crucial info
• Most managers: “What are the top
10 items that I need to deal with
this week?”
• “Actionable Metrics”: Ability to drill
down to see remediation action
plan.
• Drill-down transparency was
impossible with spreadsheets
26. 26
MEASURE & IMPROVE
APPLICATION RISK
Inventory Harmonization Automation Prioritization
Measure &
Improve
Implementation / Roll-Out:
• Don’t strive for 100% perfection
• Get it about 80% right, listen to users, tweak it from there
Risk Management:
• Original strategy was “remediate all the risks” / over-compensate
• Shifting now to analyzing data collected to truly prioritize risk remediation
• Future: Performance metrics – how can we improve resource efficiency?
27. 27
ACHIEVING VALUE
APPLICATION RISK
• 100 active users on the platform
• Gut feeling / guess work replaced by decisions based on trusted &
transparent risk data
• Silo’d risk assessment process now centralized & integrated between LOBs
• Management can now make more informed, confident and effective decisions
on where to focus resources.
• Ultimately: This project has helped build & maintain trust from application
users. Thousands of employees rely on business-critical apps.
28. 28
RSA Archer: Inspire Everyone to Own RiskResults
Reach
Compliance
Risk
Opportunity
Risk management is the key to protecting your
competitive advantage.
Transform
Harness
Exploit
The Maturity Journey
APPLICATION RISK
29. 29
From Compliance to OpportunityResults
Reach
Resource overload
High rate of change
Lack of resources
Lack of business context
Compliance
Risk
Opportunity
APPLICATION RISK