November 2011
|  |
Thanks to
Our Silver-Level Corporate Patrons
|
|
Thanks to
Our Bronze-Level Corporate Patrons
| 
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Legal Matters
| Copyright 2011
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| Dear Fellow SARMA Members,
To our members here in the United States, warm wishes for a safe and happy holiday season to you and your families!
As we approach the New Year, however, there is a fresh reminder of the risks we face in our 21st century world. Some of you may have taken note of the recent report of a cyber attack on a public water facility outside the City of Springfield, Illinois earlier this month. While likely not a deliberate act, this incident, along with a well publicized cyber incident in Iran where a computer worm known as Stuxnet infected computer systems at a nuclear research facility, underscores growing concern about the vulnerability of the supervisory control and data acquisition (SCADA) software used to remotely operate a variety of machines central to energy production and distribution, public water and wastewater systems, and many types of manufacturing around the world.
As a further sign of just how seriously this emergent threat is being taken by homeland security officials in the United States, the White House released the first International Strategy for Cyberspace earlier this year. According to the Obama Administration, this approach marks a departure from past U.S. cyber security policy by seeking broad engagement with other nations to reduce common threats to digital networks world-wide. Likewise, SARMA believes cyber security must be part of any comprehensive discussion on security risk management. In many ways, however, it is the least understood of the threats we face. SARMA first began focusing attention on this emergent issue last year as part of a one-day forum on information sharing and cyber security, and we continued this as part of an entire track dedicated to the subject at this year's 5th Annual Conference on Security Analysis and Risk Management. I am pleased that we are now able to perpetuate this focus via The Risk Communicator, and I commend to you what I hope will be the first in a series of interviews with key officials charged with managing both the physical and cyber risks to critical infrastructure and communities here in the U.S. and abroad. In this issue, Tom Finan, Senior Cybersecurity Strategist and Counsel at the Department of Homeland Security's National Protection and Programs Directorate (NPPD), speaks with us about some of the steps being taken by DHS to address the cyber-physical challenge, develop analytics that will support effective decision-making, and improve resilience across each of the critical infrastructure sectors. As always, we welcome your feedback and ideas for future issues! My best,
Kerry Kerry L. Thomas
President |
TRC Interview
| | Building to Resilience: NPPD's Long Term Approach to Strategic Risk Analysis
Tom Finan is Senior Cybersecurity Strategist and Counsel with DHS's National Protection and Programs Directorate (NPPD), where he is currently leading the effort to develop proposals for enhancing NPPD's resilience-focused analysis and modeling of cyber and physical threats to critical infrastructures, systems, and the public. The Risk Communicator interviewed Mr. Finan about the program's origins and plans for the future.
Ten years after 9/11, risk management is entering a new phase of growth and maturity. Although much attention continues to be dedicated to identifying and stopping terrorists threats, resilience has emerged as the leading watchword for planners in both the private and public sector. Al Qaeda remains a major concern, but so too are natural disasters and, in this modern age of connectivity, cyberwarfare. With this growing sophistication has come the need for better planning and long-term budgeting, and improved tools for identifying the best use of resources.
That's where Tom Finan and his team at DHS's National Protection and Programs Directorate come in. Charged last year by Under Secretary Rand Beers to take the directorate's analytics abilities to the next level, Finan has led a series of working groups dedicated to developing programs to enhance cyber and physical resiliency long-term across all critical infrastructure sectors. The fear of a cyber attack disabling key systems such as IT, communications and water distribution have long existed, but, as Finan recently told The Risk Communicator, the recent Stuxnet attack in Iran in particular has focused minds across the homeland security enterprise.
"We've developed good day-to day-products," Finan explained. "But resiliency needs a better long-term program. We're asking ourselves, what are the sorts of risk information products we need to generate to advise or forecast what the cyber domain is going to look like in three to five years?" These analytical tools, Finan said, would not only aid in better decision-making, but would also improve synchronization with the budget cycles of NPPD's governmental and private-sector customers. "Greater awareness of emerging risks will help our customers refine their risk management strategies and investments before hazards happen," said Finan. "By targeting their resources to where they are likely to have the most impact, moreover, the entire homeland will benefit."
NPPD's customers have been at the heart of Finan's intra-departmental Enterprise Risk Working Group (ERWG) and its successor groups, which for the past year have been engaged in a holistic re-think of the dependencies and interdependencies that make up the cyber-physical challenge. After identifying nine or 10 key risks and drawing out a core concern about a lack of resilience culture, Finan and his colleagues developed a series of proposals for how to approach analytics in this area and recently began working on a proof-of-concept project with local participants in Charlotte, North Carolina, and New Jersey. They heard the very same feedback from both communities. "They were very concerned about a Stuxnet-like attack on their life-support sectors," said Finan. "Not just short-term, but also the medium- to long-term economic and social impacts and how best to address them."
Because the ERWG and its successor groups were charged with developing analytics tools to help guide long-term decision-making, the process has also helped Finan and his colleagues identify a major challenge moving forward: creating a pool of analysts who can straddle both the cyber and physical infrastructure domains. On the academic side, Finan said he hoped that academia would do its part to develop the necessary skill sets and analytical mindsets, while the DHS side works to lay out defined career paths for those interested in both fields.
This new class of professionals will play an important role moving NPPD analytics forward. NPPD's next step is to develop and test analytic prototypes with the three- to five-year planning scheme in mind to determine what can be produced now and what new capabilities must be "grown." The value of analytics "is measured by how well it informs decision-making," Finan explained. "By identifying our customers' long-term cyber and other risk information needs up front and aligning the organization over time to better meet them, NPPD will be well-positioned to provide that value into the future."
|
|
Analysis
| | Identifying Tangible Benefits During Tthe Risk Management Process
by Julian Talbot
Executives charged with risk management responsibilities often need to analyze how their efforts are supporting organizational objectives. In the ideal world, it's not a difficult thing to do: metrics such as payback period, net present value and return on investment give an easy cost/benefit calculation. At the very least, you can usually tell if you've achieved some tangible benefit. In practice, however, it's not so easy
Unlike most business investments, risk management is often seen as delivering a 'soft' benefit. By this, I mean that the benefit is sometimes difficult to measure directly. Typically, there is likely to be a benefit, but it is unclear whether the predicted savings will be realized in the bottom-line or otherwise quantified. Risks are by their nature abstract concepts -- things that may or may not occur -- and hence any proposed risk treatments have abstract benefits. Even if you do implement a risk treatment, the risk may not be realized and the predicted consequences may never occur. Or the risk occurs but the scope and damage are less than predicted.
The issue of soft vs. hard benefits doesn't invalidate the risk management business case but it does make it rather unusual. While most business cases include both hard and soft benefits, many of the important benefits of risk management have in the past been poorly defined or unstated.
Making Intangible Benefits Tangible
There is no such thing as 'perfect risk management.' All risk management involves making trade-offs, some stated but many unstated. More often than not, it's these unstated or seemingly 'intangible' elements that will make or break the case for risk management. We will often also have to make decisions and trade-offs regarding perceived vs. actual risks. Sometimes managing the actual risk will also mitigate the perceived risks and vice versa, but other times it won't.
It may also appear that the perceived risks are more important than the actual risk. For example, removing nail clippers from airline passengers may have little to do with managing the actual risk of hijack but it is part of the process that visibly demonstrates that something is being done. In fact, the risk of hijack is usually perceived by the travelling public to be much higher than it actually is. The greater risk associated with airline hijackings, is therefore not one of hijack but the risk that people lose confidence in aviation safety, with the resulting economic costs and increased road fatalities. Similarly, it will often be appropriate to put in place measures such as tamper-proof packaging on food and drugs even though it is still entirely possible to contaminate the goods inside.
Of course, these issues of perceived vs. actual risk are largely subjective and will vary depending on individual risk criteria and level of understanding. Many risk management projects have more benefits to an organization than the ones that are cited, but some of these benefits may be difficult to quantify in absolute terms. A significant driver in the decision-making process is likely to be personal or organizational agendas, which will involve greater or lesser good to various parties.
Some Practical Tips on How to Measure the Immeasurable
First, it's worth going out on a limb by saying that intangible benefits are something of a misnomer. All benefits are quantifiable -- if we think laterally. Intangible benefits in this context represent benefits that are difficult or impossible to accurately predict and measure in financial terms. Often, however, these intangible benefits can be quantified into key performance indicators such as percentage market share or industry ranking. Some simple examples of intangible benefits to be considered when evaluating and measuring the performance of a risk management project include:
- Brand Advantage: Reinforcing, advancing or changing an organization's reputation as a safe and/or well-managed place to work
- Strategic Advantage: Working towards or meeting overall corporate objectives
- Competitive Advantage: Getting into markets ahead of competitors faster and less expensively, better addressing customer needs, meeting changing market demand, scaling easily and more cost effectively, and gaining market share
- Intellectual Capital: Increase in relevant knowledge gained by risk management and other staff, and the perceived market value from those gains
- Organizational Advantage: Enabling an organization to function more effectively, or reinforcing or recreating a corporate culture
- Risk Avoidance: The risk of not implementing a solution
Every company or organization has objectives that are measured in non-financial terms. Some of these include improvements in branding, image, customer satisfaction, product development time and employee recruitment. Reaching these objectives should ultimately translate into either financial savings or increased income, but the objective and progress towards it are measured first in non-financial terms. Does your proposed action contribute to one of these objectives? If so, it deserves some attention.
Therefore, if you were writing the business case for risk management, I'd suggest that assigning financial value to benefits should be one of the last steps. If you can show in tangible terms that your proposal contributes to a business objective, the benefit is real. If management agrees that reaching the objective has value, then the benefit has value.
Measuring the links between risk management and staff skills can be easier said than done. When trying to assign value to a risk management initiative, however, sit down with your colleagues, finance team members and managers to decide 'what is the value of reaching the objective?' and 'does the risk management framework or treatment contribute to this?' If the answer is yes, the only question remaining is, 'what percentage of that value should be credited to the risk treatment?' The figure you agree on may not be 100%, but it should not be 0% either.
Julian Talbot is CEO of Jakeman Business Solutions, a leading risk management and program management consultancy. He is also lead author of the Security Risk Management Body of Knowledge (SRMBOK), a Board Member of SARMA, Fellow of the Risk Management Institution of Australasia (RMIA) and Research Associate with the Australian Homeland Security Research Centre. This article is excerpted from his upcoming book Snapshot Guide to ISO 31000:2009 Risk Management! which is due for publication early next year. For more sneak previews and risk management tips, go to http://31000risk.blogspot.com/.
|
|
Key Reports
|
Department Of Defense: Cyberspace Policy Report
A new report from the Defense Department identifies five distinct but interrelated strategic initiatives to support DoD's cyberspace operations and its national security mission, including international cooperation and the development of active cyber defense.
Get the report
GAO: Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements
A new report from the Government Accountability Office finds that "weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing over 650 percent over the past 5 years."
Get the report
CDC: 2011 State-by-State Update on Laboratory Capabilities and Response Readiness Planning
A new report from the Centers for Disease Control and Prevention finds that public health preparedness has improved over the past year but cites federal and state budget cuts and work-force stoppages as significant challenges moving forward.
Get the report
|
Jobs
| |
ABS Consulting: Junior Analyst
ABS is seeking a talented young professional to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.
Read the notice
ABS Consulting: Junior Risk Analyst
ABS is seeking a talented young professional to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.
Read the notice
ABS Consulting: Risk Analyst
ABS is seeking a talented young professional to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.
Read the notice
ABS Consulting: Risk Consultant
ABS is seeking a talented young professional to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.
Read the notice
DHS: Operations Research Analyst
DHS National Protection and Programs Directorate is seeking applicants to provide technical support and subject matter expertise for execution of strategic quantitative risk assessments. Responsibilities include developing tailored risk and decision analytics, support tools and technical assistance; advancing risk and decision analytics, support tools and technical assistance, and promoting effective homeland security risk communications and enhance risk communications techniques.
Visual Risk Technologies: Safety and Security Risk Consultant
Visual Risk Technologies is seeking applicants to contribute to the firm's creative approaches and proven software solutions that are in use by a variety of corporate and government clients in the homeland security, transportation, energy, and chemical industries. The position will provide expert guidance to technical staff and conduct independent research and analysis culminating in written reports and oral presentations.
FEMA: Program Analyst
FEMA is seeking applicants to, among other tasks, conduct research and performs analytical tasks for risk analysis, risk management, and critical infrastructure protection initiatives and programs. The successful applicant will also provide assistance for obtaining, analyzing, and processing data related to critical infrastructure and all-hazards risk in support of assessments and analyses.
Read the notice
CFATS: Senior Cyber Security Consultant The Senior Cyber Security Consultant will provide chemical security analyses of vulnerability assessments and security plans for chemical facilities. Consultant will assist government client with review and analysis of information submitted by chemical facilities. The successful candidate will assist with review and analysis of information submitted by regulated facilities for completeness and consistency. This includes cyber security analysis pertaining to identification and description of computer or cyber systems related to operations, process control, or security.
CFATS: Chemical Facility Physical Security Consultant
A Chemical Facility Security Consultant will provide physical security, chemical security, and/or cyber security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security. Consultant will assist DHS or other government clients with review and analysis of information submitted by chemical facilities. The job responsibilities will include: (1) evaluation of existing and planned security measures, practices, and plans; (2) evaluation of vulnerabilities; (3) evaluation of risk management practices; (4) participation in coordination meetings and conference calls; and (5) documentation of assessment results (in formal reports, briefings, and white papers).
CFATS: Senior Chemical Security Consultant
The Senior Chemical Security Consultant will provide chemical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security. Consultant will assist DHS or other government clients with review and analysis of information submitted by chemical facilities. The successful candidate will assist DHS with review and analysis of information submitted by regulated facilities for completeness and consistency.
CFATS: Cyber Security Consultant
A Cyber Security Consultant will provide chemical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security. Under the direction of a Senior Cyber Security Consultant, a Cyber Security Consultant will assist DHS or other government clients with review and analysis of information submitted by chemical facilities. The successful candidate will assist DHS with review and analysis of information submitted by regulated facilities for completeness and consistency. This includes cyber security analysis pertaining to identification and description of computer or cyber systems related to operations, process control, or security.
CFATS: Senior Physical Security Consultant
A Senior Physical Security Consultant will provide physical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security. Consultant will assist DHS or other government clients with review and analysis of information submitted by chemical facilities. The successful candidate will assist DHS with review and analysis of information submitted by regulated facilities for completeness and consistency. The Physical Security consultant will review designs and security programs and evaluate existing security countermeasures and practices.
Read the notice
Security Management Resources: Petroleum Security Advisor
Provide security advice and support to ensure the security of the people, operations and facilities of the global Petroleum organization. This role will proactively support the Petroleum Security Manager in the implementation of security strategies with particular focus on emerging threats, security incident management, development of security procedures in new locations, and security reviews for established operations.
Read the notice
|
|
|
|
|
