“Intent” in the IDEA framework for Data Privacy
It was the dawn of May 29, 1453, a Tuesday, when the confident defenders of Constantinople were blindsided by a charge from the ‘left field’ when Ottoman attackers found one open door of Kerkoporta and got through the impenetrable Theodosian walls of Constantinople. They were confident because they had the best technology and tools of the times – The Walls.
These walls, built in the 5th century had stood the test of time for a thousand years, they survived many challenges, survived the siege laid by Mehmed II, survived the assault by the largest cannon of the times especially designed to breach these walls.
In the end they were undone by a small 16 feet door left open that allowed just 50 Ottoman soldiers to rush in. Ensuing events combined with the shock and psychological impact of the supposedly impenetrable walls being breached led to the downfall of the city and an empire that stood for over eleven hundred years.
We may live in different times, in the day and times of AI and data privacy, but this six-hundred-year-old story holds some powerful lessons for us today.
I referred to this story in my last blog when I wrote about the need for 100% effort. The need to check that “all the doors are secured”, not “most of the doors”. In this day and age of information explosion when we must deal with hundreds of servers, thousands of devices and humongous amounts of data, how do we Verify @ Scale?
That we must do 100% verification is evident. This story highlights another aspect of “Risk Management Culture”. Identifying and Managing Risks is not a once and done activity. It requires constant attention and review to make sure that things are functioning as you intended them.
Strengthening our Risk Management and Security posture cannot be an after-thought. We must build it into the DNA of all that we do.
The IDEA Framework: Intent – Design – Evaluate – Assess
We use an Intent-Design-Evaluate-Assess (IDEA) framework to move Risk Management from just compliance to a strategic, goal-driven paradigm. It compels thinking about the “why” before the “how.”
Intent: Capture the Strategic Goals
Instead of just listing threats or things to do, the organization’s strategy captures its risk appetite and objectives. The intent, the organizational strategy is encapsulated in its policies. The policies establish organizational objectives in the context of internal and external factors that impact the organization. The objectives set out what we must protect – assets, data, reputation, availability, integrity.
Design: The Controls
The policies capture our organizational Risk Management Intent. This intent is translated into an actionable set of Controls to achieve the objectives built achieve the objectives and address the Strategic Intent.
Risks identified are analyzed to determine their impact, potential hazards, their likelihood and their impact. The Controls are designed to reduce to the risks identified, and ownership and responsibilities are assigned to teams to ensure that these controls are implemented as designed.
Evaluate: Are the Controls working as intended?
As I mentioned earlier in this note, Risk Management is not a once and done activity.
So, the Controls designed to address the Strategic Intent encapsulated in Risk Management Objectives must be constantly evaluated to assess if these controls meet our original intent.
There are two main purposes of this ongoing evaluation. The first is to establish if these controls are usable, and that they don’t increase of shift risks by being unusable. The second purpose is to determine if these controls work to lower the risks to acceptable levels as intended.
Assess the Impact
The continuous monitoring of impact of controls and assessment of outcomes is not only the final stage of this framework but also provides input to the first step of the IDEA framework. It helps fine tune the strategic intent and therefore the design and implementation of controls
Assessment has two parts. One, to monitor the performance of controls, and two do a post event review to provide feedback to fine tune the intent.
This framework is helpful. It helps make Risk Management systematic. The next question is – how do we do it @scale?
Risk Management @Scale
As we saw at the top of this blog, we have an impregnable fortress, with one hundred very hi-tech doors. Inspecting 99 of them does not tell you about the hundredth one. And as we saw, a small 16-foot gate of Kerkoporta left open set in motion events that led to the downfall of a thousand-year-old Byzantine Empire.
I mentioned that this has lessons for us today. As I wrote when I talked about the complexities of a GRC program, we have thousands, maybe hundreds of thousands of ‘doors’, i.e. potential points of leakage. It is humanly impossible to police all these ‘doors’.
The use the IDEA makes Risk Management systematic. The use of AI enables us to do it at scale. Next I will discuss how AI could be leveraged to establish Intent, Design Controls, Evaluate applicability and Assess effectiveness.
