I recently had the honor and privilege of speaking at the ISACA Europe Conference in Rome, Italy, on the benefits of using cyber assurance programs from the Reciprocity® ROAR Platform to communicate risk in the context of your business. In addition to seeing the Coliseum and trying a Chicken Big Mac, ROARie and I got to network and connect with security, risk and compliance professionals from around the world.
As I began writing this blog, I intended to highlight all of the new concepts presented and document the various lessons learned throughout the week. But I can summarize that in one sentence: No matter where you live or what your organization does, we all care about risk!
And we’re all struggling to communicate that risk to our leadership. Many people I met were concerned with the large amounts of data they were tasked to keep safe. For others, their cloud infrastructure was of critical importance. But the common theme was, how do we know if we’re doing enough to reduce our risk and keep our organization safe?
The Purpose of Compliance
To answer this question, let’s first discuss the purpose of compliance management. Compliance, by definition, is the act of adhering to a set of requirements. No matter what that list is-an international standard, internal policies or customer requests-you are tasked with meeting them.
Some may say that the purpose of compliance activities is to ensure adherence to your requirements and identify gaps or non-conformities. But is it? Or is the purpose of compliance to reduce the risk to your organization? Think about it. While the result of our compliance activities may be a SOC2 report or ISO certification, the real reason we conduct those activities is to reduce the risk to our business by validating that controls are functioning effectively.
To demonstrate this concept, let’s talk about rental cars! After the ISACA conference, ROARie and I rented a car and drove south of Rome to visit my family. When getting the car, the agent indicated that any renters with a non-Italian driver’s license needed to purchase additional insurance. Being that I am from the United States, this meant that I had to comply with this rule or not rent a car. Now, is the purpose of this rule to force renters into purchasing insurance and “check a box” on the list of requirements the rental car company maintains? Or, is there a higher risk associated with foreign drivers, and to prevent loss to the organization, they require renters to carry insurance? I believe it’s the latter.
And it’s the same within our organizations. Your organization may have a rule that you must have mobile device management applications on all company cell phones. Is the purpose of this rule to force users into loading an app? Or is the purpose enabling a way of securing, managing and remotely erasing any company data on mobile devices to prevent data loss and costly breaches? When you focus on reducing your risk rather than obtaining a certification or audit report, you can better demonstrate how well you secure your organization and highlight the areas of highest risk.
Keeping Your Most Precious Assets Safe
The next step in determining if you’re doing enough to reduce risk is identifying the most critical areas within your organization. Or to phrase it differently, what areas of your organization are most essential to meeting your goals and objectives? You may have heard the phrase, “don’t try to boil the ocean.” This is a significant pitfall of traditional compliance-focused activities. When you have a list of controls and a mission of applying them across your organization, you lose sight of the context. But when you align your compliance activities around your business priorities, you can apply higher levels of protection to critical areas and demonstrate your ability to reduce risk where it matters most.
In one of the sessions, the speaker discussed the importance of layered protection, which promoted a conversation around the “Tower of London” analogy. You store your crown jewels in the heart of the castle. They are in a locked room guarded 24 hours a day. Further, the castle itself has locked doors guarded 24 hours a day. There is a moat around the castle. And the moat has crocodiles. In this story, your most precious asset is secured using multiple layers of protection. But would you implement the same level of protection on the gift shop that sells replicas of tiaras? Hopefully not.
However, using the compliance-first approach does just that. Utilizing a list of requirements and controls assumes that all areas of your organization carry equal importance. Further, it also assumes all controls reduce risk equally. That’s why ROARie and I took a risk-first approach to protect our belongings as we traveled. We identified four main assets (noted below). You can consider these like areas of your business. Each is important, but the impact of adverse events varies greatly between them.
Did I apply the same level of protection to my purse as my checked suitcase? Nope! Based on the contents within each, the intrinsic value varied drastically. And thus, the level of protection should also vary. Considering the consequences of each asset being lost, there is a significantly higher impact should my purse get lost versus my checked suitcase.
So we deployed levels of protection for each asset based on the potential impact on our trip. We used Air Tags to track the location of each asset. We kept the carry-on bag with us to ensure we had backup clothes should the checked suitcase get lost. We had a lock on the zipper of the backpack. And I used a cross-body purse with a secret inner pouch for our passports. That’s how you implement levels of protection in the context of your business priorities.
Are You Speaking the Same Language
Although I am of Italian descent, my ability to speak Italian is very limited. When ROARie and I visited the village where my family lives, few of its residents spoke English. Despite my best efforts and using a translation app, it was difficult to communicate with some family members.
This can be similar in organizations. Even if you have shared goals and objectives, if you aren’t able to communicate in a language the other person understands, it can be very difficult to get things done. You need to find a language that everyone understands. For us, that language was FOOD! I was able to prepare and serve meals with my cousins, sharing recipes, tips and stories of our grandmother.
For organizations, that common language is risk. Everyone understands that risk can prevent you from reaching your goals. That’s why when you communicate with your leadership or stakeholders, you have to keep it in the perspective of those goals.
With a compliance-first approach, you may report metrics such as the number of non-conformities from your external audit. However, there is no context on the impact of those non-conformities. But when you report risk, you can report outcomes that demonstrate how well your controls reduce the risk to specific areas of the business in alignment with company goals and objectives. And this empowers you to say that if we do these things, we can reduce the risk of achieving this objective and enable you to reach this goal.
Are you ready to start assessing the risk in the context of your business, identify and implement levels of protection and communicate in a language that everyone can understand?
The Reciprocity ROAR Platform provides a cohesive view of your risk and compliance activities wrapped around your business priorities. Looking at your organization’s risk using cyber assurance programs enables you to influence, protect, and secure your organization. Download our white paper “Compliance Does Not Equal Security: How to Take a Proactive Approach to See, Understand and Act on Risk,” or get a free demo today!
