• Product
      • circleROAR Platform
      • cogwheelZenComply
      • lockZenRisk
      • globeZenGRC Platform
      • chartRisk Intellect
      • kes tagPricing
    • Solutions
      • By Industry
        • TechnologyTechnology
        • Financial ServicesFinancial Services
        • HospitalityHospitality
        • HealthcareHealthcare
        • GovernmentGovernment
        • Higher EducationEducation
        • retailRetail
        • MediaMedia
        • InsuranceInsurance
        • ManufacturingManufacturing
        • Oli & GasOil & Gas
      • By Framework
        • PopularPopular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • PrivacyPrivacy
          • CCPA
          • GDPR
        • HealthcareHealth Care
          • HIPAA
        • GovernmentGovernment
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • FinanceFinance
          • SOX
          • COBIT
    • Success
      • customer-successCustomer Success
    • Resources
      • Resource CenterResource Center
      • Reciprocity CommunityReciprocity Community
      • NewsroomNewsroom
      • EventsEvents
      • BlogBlog
      • Customer StoriesCustomer Stories
      • Content RegistryContent Registry
    • Company
      • About UsAbout Us
      • Contact UsContact Us
      • CareersCareers
      • Leadership
      • Trust CenterTrust Center
      • PartnersPartners
      Get a Demo

        Sure-fire Way to Boost Board Confidence: Communicate Risk In Their Language

        Published June 7, 2022 • By Meghan Maneval, Director of Technical Product Management • Blog
        businessman thinking about business priorities and risk management strategies

        Looking back at the past few years, the COVID-19 pandemic has forced technology leaders to drastically rethink their approach to strategic planning. Projects that may have been scoped over months or years required almost overnight deployment. Organizational digital strategies were accelerated and new processes were implemented to support the shift to global remote activities.

        But with this acceleration, many organizations took an “implement first, worry about security later” approach. This resulted in an increase in security control gaps and risk blind spots leading to much larger playing fields for threat actors. In short, the threat of cyber attacks has never been higher. Yet despite the increase in threats to their business, just 9% of boards are extremely confident that they’re protecting their organization from cyber attacks 1. Which begs the question, why?

        Siloed and Reactive GRC

        Historically, compliance and risk teams have operated separately and were designed around a compliance framework or a risk register, but not both. When additional assets are considered, such as third parties, facilities, and infrastructure, they are generally managed by additional teams resulting in siloed activities, duplication of work, and communication gaps. This leaves technology leadership in a reactive role, unable to provide a clear view of risk to their board.

        But fear not! You can turn these challenges into an opportunity and go from being the enforcer of security to the influencer of corporate strategy. And it starts with communicating risk in the context of your business.

        Consider how you interact with your various stakeholders:

        • After an incident
        • At the end of a project that needs your approval
        • When a big audit is approaching

        This presents the image of reactive security and risk management and can lead to a lack of confidence from the Board.

        Making the Mindshift

        To change the perception of your Board and lead the modern conversation with business stakeholders and executives, you need to approach risk differently. This requires a mindshift! It requires you to think about the business outcome first regardless of your compliance framework or risk register.

        1. Start by thinking about what is coming up for your organization. Look at your company’s roadmap, objectives, and upcoming goals
        2. Next, consider what needs to be protected or secured to meet this objective
        3. Then, document the various elements that will enable or prevent you from meeting those objectives

        Example of this mindshift


        Example of this mindshift

        What is your organization’s goal?

        • Increase sales in various markets

        How can
        you help?

        • Protect revenue streams
        • Maintain continuity of services
        • Secure customer data

        What elements will enable or prevent you from meeting those objectives?

        • Facilities- data centers, office buildings
        • Assets- laptops, servers, even filing cabinets
        • Vendors, suppliers, etc.

        It’s Not About the Frameworks… or At Least Not Right Away

        Notice how nowhere in this conversation did I say “what frameworks do I need to comply with?”

        The purpose of conducting compliance activities is not to be compliant with a framework but rather to reduce the risk to your organization.

        Putting your business objectives in the center of that allows you to shift the conversation from “have we met the minimum requirements for a compliance framework” to “how well are we safeguarding our most important and valuable assets?” And that mindshift allows you to assess all of the factors that impact the company’s objectives, provide a single pane of glass view of risk in relation to those objectives, and tailor your risk reduction activities to meet them. This ultimately leads to actionable data that can be communicated in business-specific language that will boost board confidence.

        Getting Started

        Reciprocity® is pioneering a first-of-its-kind approach to IT risk management that ties an organization’s risk directly to its business strategy. This enables security executives to communicate the impact of risk on high-priority business initiatives-leading to smarter, more informed decisions. We’ve put together a list of 6 example Cyber Assurance Programs that can help you get started down this path.

        And since the role of the CISO has evolved from a backoffice “doer” to a main communicator and influencer to the C-Suite, it’s important to understand this new dynamic. This conversation is continued in our latest fireside chat with a panel of CISOs. Tune in to this on-demand session to hear their thoughts.


        1 https://www.ey.com/en_ph/board-matters/three-cybersecurity-considerations-that-boards-should-address

        Why sign up for the Risk Insiders newsletter?

        To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.

        Thank you for subscribing to the Risk Insiders newsletter!

        Recommended

        Image
        Cybersecurity Best Practices for Companies
        Internet crime concept. Hacker working on a code on dark digital background . network security concept
        Security

        Cybersecurity Best Practices for Companies

        Read more
        Image
        Effective InfoSec Begins with Compliance + Risk
        information security team meeting with digital overlays
        Information Security Compliance

        Effective InfoSec Begins with Compliance + Risk

        Read more
        Image
        How Strong Are Your Business Internal Controls?
        Businessman on blurred background using tech devices and icons thin line interface
        Security

        How Strong Are Your Business Internal Controls?

        Read more

        Discover the Power of the Reciprocity ROAR Platform

        Get a Demo
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • Customer Success
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners
        Contact Us
        Contact Us

        © 2023 All rights reserved

        Privacy Policy