We've all heard about the analyst at the U.S. Department of Veterans Affairs who, in May 2006, took home a laptop that held personal information on millions of military veterans. When a burglar broke into his home then stole the laptop, the incident raised fears of identity theft on a catastrophic scale.
Luckily the laptop was recovered, and the FBI determined that the data had not been compromised. But the close call points out an undeniable fact: When something goes wrong with a government information system, the consequences can ripple far beyond the IT department.
Today, just about every aspect of government relies on IT. So when a hurricane destroys a data center, a hacker launches a denial-of-service attack, or the vendor of a key software application goes out of business, that doesn't just mean headaches for the CIO. It could also mean public-health professionals can't access patient records. Or teachers can't get their paychecks. Or police officers can't fight crime.
In other words, IT risk means risk to the entire government.
"People have to stop thinking of IT risks as independent," said Cal Braunstein, chairman, CEO and executive director of research at the Robert Frances Group, an IT consulting firm in Westport, Conn. "IT risks are a component of business and operational risk." IT risks comprise a growing range of concerns. Especially when it comes to data security, risk management has become a huge role. "Much more than we thought about four or five years ago," said Thomas Jarrett, CIO and secretary of Delaware's Department of Technology and Information. "And it's become a major focal point for the work we do."
Types of Risk
"In this day and age, privacy and security risks would be at the top of the food chain," said Patrick Pizzella, CIO and assistant secretary for administration and management at the U.S. Department of Labor. Thieves, hackers, spammers, virus launchers and others who try to steal data or sabotage systems constitute one of the major categories of IT risk. As government agencies open their systems to one another and to private-sector partners in the name of collaboration, and as they offer e-government services to the public, it becomes increasingly important to guard every door and window into the IT infrastructure.
IT plays a role in managing risk when it comes to physical doors and windows, as well as logical ones. In this post-9/11 world, concerns about physical security and information security meld, said Bradford Brown, managing director of the technology risk consulting practice, public services, at Protiviti Inc. in Vienna, Va. For one thing, that means CIOs must think especially hard about managing identity risk. "It's not so much even the physical protection of the building," Brown said, "but who's going to have access, how you're going to gain access not only to the building but to your network, what that access is going to look like, and how you are going to compartmentalize that."
CIOs must also be aware of risks outside of their managing sphere, such as the public telephone network and the power grid. "If you are an IT organization and are providing support for a 911 system, and power goes down and you have no way to get that system back up, it's not a reasonable thing to say, 'Out of my control,'" Braunstein said. "When the power does go out or other failures occur, you have to be able to address the problem, whether it is internal or external, and keep the mission-critical systems running."
A government that offers Web services must consider a range of risks, including harm to third parties who might be inclined to file lawsuits, said Bill Kostner, risk manager for Lincoln, Neb., and president-elect of the Public Risk Management Association. Citizens who conduct business with the government on the Web might see their credit card information stolen, or people might post information on a government site that violates a copyright, reveals a trade secret or slanders a candidate running for office.
Along with these ongoing operational risks, CIOs deal with project risks involving costs, deadlines and contracts, getting locked into proprietary or no-longer-supported technology ,and out-and-out project failure.
The implementation of electronic voting mandated by the Help America Vote Act of 2002 offers a good example of risks that attend an individual IT venture. "When you assess that IT project, there are going to be security concerns," said Alyssa Farrell, industry marketing manager for state and local government at SAS. "There will be culture concerns. There will be cost concerns. And each of those concerns should spawn a risk assessment.
"The difference between risk assessment for a project versus an organization is that a project should have a defined outcome," she continued, adding that if the risks compromise those outcomes, that can hurt the CIO. "A CIO can survive by securing data, making sure everything's moving forward. But he can't thrive in his position without showing project success."
The risk management process includes four broad steps: defining the organization's tolerance for risk, identifying all possible risks, assessing each risk and taking action.
The focus of the first step, risk tolerance, defines what is acceptable to an organization, said Rich Mogull, a research vice president in information security and risk at Gartner. Usually this process must happen at a level higher than the CIO's office, because it spells out the consequences -- cost, liability, political fallout -- the whole enterprise must accept if something goes wrong. "If I'm a CIO," Mogull said, "it is in no way, shape or form my job to make decisions on reputation risk for my agency."
Unfortunately, said Mogull, executives rarely conduct a formal process to define risk tolerance. In the public sector, politicians compound the problem by setting the tolerance meter at zero. "They say, 'Thou shalt not have any risk of doing this,'" he said. "But they don't trade off the checks and balances and the costs."
To some CIOs, it's crucial to attend to every risk, rather than let some slide. "It's like the tire on the car that looks like it's low in air," said Pizzella. "You ought to fill it up."
Whether you believe you can address every conceivable danger, the risk management program can't proceed until you identify the risks you face. Just as the strategic planning process tries to outline every organizational strength, weakness, opportunity and threat, risk management attempts to look at every potential exposure to an entity, said Kostner. "[It] takes the ability to think outside the box, and think about what could happen and how to prevent that -- to think about every possible contingency that's out there."
Risk assessment means evaluating what a risk consists of, how likely it is to occur and how much harm it can do. CIOs can look to several formal methodologies for help with this process. One is included in the Control Objectives for Information and Related Technology (COBIT), developed by the Information Systems Audit and Control Association. "The assessment program inside COBIT is fairly extensive," said Richard Seery, IT intelligence program director at SAS. It helps an organization assess its current state, and discover how to eliminate or reduce risk in certain areas, and many government organizations in Europe, South Africa and Australia have adopted the methodology.
Another relevant methodology, Mogull said, is the Operationally Critical Threat, Asset and Vulnerability Evaluation -- dubbed OCTAVE -- developed at Carnegie Mellon University.
Accept, Avoid, Transfer, Mitigate
Once the organization has assessed the possible risks, it's time to take action. In classic risk management, there are four fundamental ways to deal with a risk: acceptance, avoidance (for example, by canceling a risky project), transferal (usually by buying insurance) or mitigation.
Mitigation strategies are as numerous as the risks themselves. When the U.S. Department of Labor embarks on a new IT implementation, for example, Pizzella and his organization manage the risk of unanticipated costs by making sure the project plan considers necessary upgrades to hardware and software that reach the end of their life cycles. "If the owners of projects haven't thought those things through," Pizzella said, "we don't support initiatives."
Delaware's CIO has waged an aggressive campaign to help his customers -- technology users throughout state government -- understand their role in mitigating security risks. That includes sharing the results of a recent scan for malicious code on the network and demonstrating how easily a free program downloaded from the Web can crack a password. "It's to show them that this stuff is very easy, and we understand that [they] don't like strong passwords," Jarrett said, "but it's incredibly important as a first line of defense."
In addition to gaining greater cooperation, the education program has also helped his department win funding for risk mitigation.
Delaware's Department of Technology and Information also runs frequent tests on systems that are crucial to business continuity, Jarrett said. "We test the power systems weekly; we test our mainframe survivability process a minimum of four times a year."
In a world where every aspect of government depends on information technology, the CIO must not only manage IT risks, but also risks to the whole government enterprise. For example, Brown pointed out, agency officials in charge of IT and finance follow similar procedures to audit the integrity of their systems. "And so you often need both of those officials engaged to look at risks, because they're one and the same," he said. "Your financial systems are running over a network."
There's an increased responsibility on the CIO, Farrell said, to prepare and respond to risks that may not always be technology specific. "They are seen as the champions and guardians of public information in many ways," she added, even if they haven't officially been given the power to play that role.
Some CIOs, understanding their role as public stewards, are becoming more engaged in the political process, Farrell said. Some come to their jobs with backgrounds in law or public policy that help them play this role. "They're involved in discussions within the legislature or the county commissioner's office," she said.
One arena where CIOs often get involved in broader risk management initiatives is disaster planning. "We spend a lot of time in IT trying to build systems so people can't get in," said Braunstein, who's worked with government and business clients on pandemic planning. To help stop the spread of infection, however, a government might close its offices. Then public employees would need to access their information systems remotely. "I now need a whole new IT system methodology of allowing people to work from home without opening the system to hackers," he said.
Delaware's IT officials remind colleagues in other departments how much their emergency response plans rely on information systems, and how important it is to make sure those systems survive a disaster. "We've assigned a team within our department that goes out and will sit with agencies, to go through the whole disaster recovery business planning process," Jarrett said, adding that as part of their own pandemic planning, Delaware's officials have spelled out how to keep serving citizens should the governor close the roads. "Do we have a network that could sustain itself if everybody is at home and they're going to try to access their systems?" Jarrett asked. "We're fortunate that we believe we do. I've talked to a lot of other states and, in fact, that could literally bring the local network to its knees."
When explaining the need for risk management, Jarrett points to the New York Stock Exchange and other Wall Street organizations that, devastated as they were by the 9/11 attacks, were fully up and running less than a week later. They achieved that because of all the disaster planning and testing done in advance.
Making those provisions costs a lot of money, Jarrett conceded, but you can't afford not to do it in this day and age. "Maybe the risk wasn't that great years ago, so you could say, 'The risk is low enough that I accept it.' But I don't think the risk is low enough anymore."