How LinkedIn Elevated Its Risk and Compliance Platform To Improve Stakeholder Experience And Enable Next Generation Integrated Risk Management
Co-Authors: Chaitali Parmar, Eric Stoll, and Natasha Michel
At Linkedin, one of the Information Security team's core commitments is to enable an environment of trusted and secure products, platforms, and infrastructure for our employees, members, and customers. The Infosec Governance, Risk and Compliance (GRC) and Third Party Security (TPS) teams are responsible for documenting security policy and monitoring in-house and third party risk and control environments to assure compliance and a healthy risk awareness and risk appetite, which is the amount of risk that one is willing to accept in pursuit of its strategic objectives.
In this post, we’ll share the benefit we saw from adopting a common platform and introducing process automation to our security risk and controls environment. The result was a reimagined risk management system that delivers a more optimal experience for our employees and third party suppliers as well as increased insights allowing us to manage risk better throughout our environment.
Prior Challenges
Before starting on our single platform adoption approach, we identified some challenges with our legacy tooling and processes that we wanted to address as success criteria.
Lack of Centralized Source of Truth (SoT): Getting a complete view of our security risk posture was difficult because our data sources for security risk were located in multiple organizational systems. It took up a lot of time and resources to gather all the necessary information. Even generating a basic report meant having to collect data from various sources, standardize it, analyze it, and then present it.
Struggle with scalability and stakeholder experience: As the demand for our employee-facing services increased, we noticed that the tools and methods we were using were not scalable. We were relying on tools like Excel questionnaires, ticketing systems, and ad-hoc emails, which were functional but could not handle the increasing volume of requests. As a result, our employees and third-party suppliers experienced longer processing times and delayed responses. A lot of time was being consumed in providing process guidance and ensuring data quality across these different sources.
Our Journey
We went through a proof of concept for various security risk management platforms to find a solution that would help us effectively address the challenges that we were facing. We selected one that specialized in risk management for both organizational and third parties.
Lift and Shift Phase
We began by adopting a lift and shift approach (i.e., taking all of our existing risk management processes supporting GRC and TPS programs from our array of different systems and onboarding them to the single platform).
Initially we started with the processes outlined in section 1 and 2 in our journey. Almost immediately we noticed benefits of structured data when generating holistic risk reports for management. We were able to stack data side by side to compare directly in our platform as opposed to exporting everything from its source system and manually normalizing the data to start comparison. Getting the aggregated data insights our management team needed became much more efficient, cutting time down from approximately a quarter to pull and analyze the required data to just a few weeks.
Excited by the prospect of increased efficiency, we invested in an implementation partner to help us expedite the onboarding of our processes and guide us with best practices of platform implementation. As our teams learned the platform features we created requirements to further move our processes into one platform.
We started onboarding audit, third party risk assessment processes, and policy hierarchy artifacts into the platform (section 3 in our journey). As a result, our stakeholders, our employees and external suppliers, became adept at using the platform for communicating with our teams for inquiries related to risk assessments / our team's responsibilities. This reduced the need for extensive guidance, freeing up our team from administrative tasks so we had more time to focus on high risk - high priority needs of the business. This centralization also allowed us to dramatically cut turnaround times for stakeholder requests. We were able to spend more time working directly with management advising them on aggregated top risks and recommend prioritization with mitigations.
New features enabled by data insights phase
Having achieved our success criteria and significantly improved legacy tooling challenges, we turned our focus towards the future benefits of a unified platform. Although multiple processes were now housed in the same platform, there was still some inconsistency when comparing insights related to issues, audit findings, and identified risks. To address this, we leveraged the platform to invest in a scalable data normalization solution. We created a list of common control objectives to facilitate this effort (section 4 in our journey). Every audit finding, risk identification, policy requirement, and supplier security workflow was linked directly to a common control objective. Each of these control objectives, in turn, was associated with a risk statement pertaining to LinkedIn's information security. This allowed us to automatically generate rich data insights while employees carried out their processes and workflows. Instead of spending weeks assessing our risk posture, we now had a framework in our platform that provided real-time insights that management used to help prioritize strategic initiatives and investments and measure information security program successes.
We recognized the importance of sharing this data with management to enhance risk awareness and incorporate risk considerations into strategic decision-making. To achieve this, we dedicated efforts to construct risk dashboards for clearer communication. We developed multiple dashboards to track operational performance and report on our security risk posture (section 4 our journey). This streamlined the process of providing data-driven reports to leadership for more informed decision-making. Additionally, we created various reports and dashboards for different LinkedIn audiences, resulting in more efficient and effective risk management discussions and a consistent message throughout GRC.
Next Generation Program
As the concrete benefits in program efficiency and effectiveness started to be socialized more, other teams began looking to onboard their processes to our platform. Our Business Continuity and Resiliency program started using the platform to conduct their Business Impact Analysis assessments and some other processes (section 5 in our journey). This in turn allowed us to directly integrate information security and availability risks in this space directly with our dashboards and reports. We were receiving effective and efficient insights from BC&R that helped to contextualize the risks we were observing in various parts of our IT environment.
We also began to look at some ‘next generation’ practices as feasible with our new data structure. We began developing automated key risk indicators intaking data from throughout our IT environment to our platform with the goal of continuous and automated risk monitoring (section 5 our journey). These indicators allowed us to measure things from across our IT environment at scale, even if the related processes were not onboarded to our platform. This allowed us to focus much more time on managing risk instead of just measuring it. With all of this data and process to analyze we became much more of a proactive risk management function, identifying potential problems based on contextual data and trends and implementing mitigations with the support of management before an incident occurs.
Lessons Learned
This was a fruitful journey for us and we learned quite a bit along the way. Here is what we learned:
Start with the Foundation: To build effective solutions, prioritize optimizing your data layer. Understanding the foundational data structure beneath any integrated risk management solution is essential before tackling UI/UX.
Remain Flexible with Feature Design Approach: Remain open to opportunities for enhancing and altering existing features. Flexibility is key to avoiding limitations in your configurations.
Don't Develop in a Silo: Sharing your feature design approach with other teams is crucial for effective automation and impactful results. We established a steering committee to foster alignment and visibility into feature roadmaps, connecting requirements from different teams, which allowed the delivery of solutions aligned with their strategic needs.
Research before Designing / Deploying: Before implementing custom configurations and solutions, prioritize research and leverage out-of-the-box options. This approach helps manage the product efficiently, reduces technical debt, and minimizes bug fixing.
User Acceptance Testing (UAT) is your best friend: Rigorous testing is crucial. Challenge your built functionality in test environments, exploring various scenarios and edge cases to anticipate potential issues. Automation of common test cases streamlines the process, allowing more time for creative edge case testing in sensitive workflows. Soliciting stakeholder feedback during UAT enhances the product's suitability and boosts stakeholder adoption.
Crawl -> Walk -> Run: Milestones are key for demonstrating progress and managing expectations. We shifted from a 'big bang' approach to 'crawl -> walk -> run,' using smaller iterations and phased implementation to deliver incremental value and gather stakeholder feedback early.
Conclusion
Adopting an integrated risk management solution with our platform brought transformative benefits to how our organization is able to analyze and manage risk at scale while providing exceptional service to our stakeholders and delivering increased efficiency, transparency, and confidence to our organization. By consolidating various risk data sources, we unveiled hidden correlations and gained predictive insights, enabling better problem anticipation and priority realignment. This shift fostered increased engagement from management and executives due to data-driven reporting. Overall, this approach fortified our security risk management, improved decision-making, and elevated our security commitment, aligning our organization for a secure digital future.
Acknowledgements
LinkedIn’s journey of maturity in our GRC platform and the benefit we saw would not have been possible without the support of senior management: Angel Liu, Atif Haque, Anthony Valentine, Natasha Michel, Chau Vu, Chris Obenza, and Anu Deshpande.
The steering committee guiding development in our platform: Eric Stoll, Whitney Parsons, Rucha Deshpande, and Chaitali Parmar.
The individual members of the GRC and TPS teams who developed and executed a vision for their processes and workflows: Brian Drummond, Keith Hung, Bryan Samonte, Knox Varela, Sharandeep Gill, Christina Blizzard, Pranjal Nagar, Shefali Mahajan, Eugene Dvorochkin, Briana Chu, and Justice Sanders.
And the Productive Engineering Team supporting implementation goals: Suresh Yekollu, Darrin Abell, and Parameswar Annapureddy.