Current Challenges in Risk Management
A recent study from EY Global found that 77% of companies across industries and geographic regions report an increase in threats to their business.1 Yet, information security and business executives say that it’s unnecessary organizational complexity that poses “concerning” cyber and privacy risks. To effectively reduce risk, they need to better prioritize IT and cyber risk across their organization.2
Is the Traditional Approach Enough?
Many organizations list IT and cyber risk management as a key objective but aren’t sure how to make it a reality. When you think of the traditional approach to risk management, you begin with a risk register, then manually create the relationships between controls, risks and threats, and then correlate the risks to various business activities.
With this, you’re able to report on operational metrics to executives.
There are a few issues with this approach:
- First, the compliance and risk activities across the organization are usually siloed and disconnected. This means that there are likely gaps, duplication and unseen risks
- Second, the speed of business, changing compliance requirements and the growth of data is accelerating, making risk management complex and nearly impossible for people to keep up
- Third, executives want to understand the value of their investments in business terms
Risk Management as a Business Decision Needs a Different Approach
Gartner advocates that risk management is a business decision, and we agree. That’s why RiskOptics approaches risk management differently. For example, instead of viewing risks according to the generic risk register used and then analyzing them against the business, we start with key business initiatives to assess the risk of the activities.
As a result:
- You get a simple way to view risks according to business activities or compliance needs
- You use programs tailored to the direct needs of your business-breaking down silos and unifying your view of risk against business priorities
- You drive data-driven decision-making
- You effectively communicate and discuss risk with business stakeholders and executives because you’re providing real value by speaking in their language about accelerating and protecting their priorities.
Essentially, traditional approaches focus on how the organization protects itself, such as obtaining a SOC2 report. But, by using programs to focus on the business priority, you’re now able to measure how well your organization is protecting itself. Just because you are certified compliant with a framework doesn’t mean that your controls are sufficient. Compliance does not equal security.
Build Risk Management Around Your Business Objectives
By focusing on your business objectives first and organizing them into a Cyber Assurance Program (CAP) within the RiskOptics ROAR Platform, you have contextual insight that keeps all of your stakeholders aligned around a common language for everyone to communicate with each other. Cyber Assurance Programs organize all related controls, processes, assets, requirements, risks, threats and providers in a single program wrapped around a business priority or objective. Cyber Assurance Programs provide a cohesive view of risk and compliance in the context of each business objective.
Traditionally, compliance and risk teams and programs operate separately and are designed around compliance frameworks or risk registers – not both. By using a program, you’re able to see the connection between risk and compliance as well as the direct impact they have on each other and the business.
With the growing attack surface, it’s easy to have risk blind spots. But, when you use the program-centric model, you’re able to visualize all risks as they relate to your various business objectives. And, because you are assessing the risk in the context of your business, you’re able to set risk appetites for each business objective and alert on changes.
The complexity of managing multiple requirement sets is simplified to reduce repetitive manual work, communication gaps, and potential risk blind spots. As hackers become more sophisticated and threats grow around the world, they are targeting vulnerable systems for their next payday. But, when you use a program to manage the risk associated with your various business objectives, you can project the impact of a breach and be more prepared.
Industry Examples of Turning Business Objectives into Cyber Assurance Programs
Let’s walk through a few examples of how you can turn your business objectives into a Cyber Assurance Program using the RiskOptics ROAR Platform.
Professional services firms often receive, transmit and store client data that are far more sensitive than some or all of their own records.3 Professional and business services have also added a lot of jobs in recent years.
It is a large and varied industry super sector that includes everything from law offices, business and technology consulting services, engineering services and computer systems designated to company headquarters, temporary help firms and call centers. For this type of business, customer data is critical! You may store vast amounts of personally identifiable information (PII), all of which needs to be protected and secured.
For the professional services industry, we recommend a Data Privacy Program. The main business objective here is to protect and secure PII. Any organization that processes, transmits or stores PII can benefit from this type of Cyber Assurance Program.
This program may consist of privacy frameworks such as GDPR, CCPA, HIPAA or other applicable privacy regulations. If you have more than one service, consider adding multiple programs for each service.
In the retail industry, cyber criminals focus on stealing information, especially the valuable cardholder data that flows between consumers and retailers. Insider threats in retail are also rising. Employee turnover is high, and the typical retailer has many points of insider vulnerability, including seasonal and traditional employees, as well as numerous stores and distribution centers.
Point-of-sale (POS) systems are an increasingly popular point of attack for gaining immediate access to valuable information such as card numbers and personal identification numbers (PINs).
For the retail industry, we recommend creating a Retail Operations Enablement program. The key business objective here is to protect and secure payment data, PII, and data assets including the cardholder data environment (CDE).
Any organization that sells goods or services, i.e., merchants, payment processors, acquirers/banks, payment card issuers and other service providers can benefit from this Cyber Assurance Program.
The frameworks involved in this program are PCI-DSS for all merchants and service providers accepting or processing payment cards, SOC2 for any US-based merchants or service providers and ISO 27001 for global merchants and service providers. Additional factors to consider for this program are third-party vendor access to your data and any other external providers where you need to assess risk.
Security and development teams are often driven by different metrics than the business, making objective alignment challenging. Developers want to release cool new features and support company growth while security teams tend to be a wet blanket. So, how can we align developers and security teams? And, how can we get better at communicating the risk and compliance associated with providing our software to customers?
By creating a Cyber Assurance Program specific to the Software Development LifeCycle, of course! This program focuses on the business objective of deploying secure code to our customers. Any organization that provides software can benefit from this program.
The frameworks involved for this CAP are typically SOC2 and ISO 27001. If you have multiple locations, environments or product lines, consider creating multiple programs. Also, think of how you can integrate with existing systems to monitor in an automated way.
Put Cyber Assurance Programs into Action
As you can see, there are numerous ways to create programs from your business objectives and ultimately reduce risk in the process. By using programs, you can convey risk in a common business language, improve tactical efficiency to free time for your team and accomplish your business goals and objectives.
Register for a FREE live demo to see ROAR in action.
And to learn more about our Cyber Assurance Programs, watch this recent webinar presented by me and my colleagues, Reduce Risk Using Cyber Assurance Programs.