People have long used mission statements, declarations and manifestos to publicly convey the intentions, motives or views of its issuer. While the historical political landscape has long used these actions to challenge and provoke, they are also advertisements to gain attention and to spark action.

Whatever term you choose to use, there have been many declarations recently that cybersecurity investment is broken. It’s broken because it’s been approached as a technical issue not a business issue. Despite years of cybersecurity investment, cyber threats and attacks are at an all time high. The crux of the matter is that cybersecurity failures are due to decision making failures and not technology failures.

Focus on Strategic Business Decisions

While organizations have thrown money at the problem for years, the issue is that regardless of how large the investment, cybersecurity incidents are still happening and will continue to happen. History has now shown that you can’t spend or outsource your way out of the situation. Therefore, the right approach is a business-oriented approach-how to manage risk in context of business priorities and outcomes to balance an organization’s risk appetite with prioritized investments to achieve a desired business outcome. This approach of managing risk in the context of your business is the new imperative for effective IT and cyber risk management.

Putting business priorities and outcomes at the center of your cybersecurity efforts is paramount and it’s at the heart of Reciprocity’s strategic approach to IT and cyber risk management. Through the creation and management of cyber assurance programs that unify compliance, risk and other requirements around business objectives, organizations gain the continuous, real-time insight and reporting needed to have data-driven business conversations.

Understand the Value Delivered

Cost and value are at the heart of every business decision. Understanding the implications of various options is what enables informed and effective decision making. Cybersecurity investments shouldn’t be any different.

According to a Gartner® report, “Optimizing cybersecurity risk in a business context through the lens of stakeholders needs creates a powerful model to drive decisions related to prioritization and investments”. The report further states, “risk, value and cost (RVC) optimization demonstrates to key stakeholders like shareholders, customers, regulators and partners that the organization has the right priorities and investments to create a balance between the needs to address risk with the needs to achieve their desired business outcomes. A risk-optimized approach creates credibility and defensibility that an organization is appropriately protected whether they have experienced a material cybersecurity incident or not”. 1

ZenGRC AI engine automatically builds relationships among business assets and processes, controls and risks to intelligently deliver an automated risk posture and maximize data re-use, while continuously monitoring for any changes that can negatively impact that risk posture. This approach breaks down siloed activities, control assessment duplication, repetitive manual work, communication gaps and potential risk blind spots.

By understanding the impact of a change or investment across all related programs, organizations can make data-driven decisions that strengthen compliance, avoid and mitigate risk and prioritize the investments that optimize security. It also serves as the foundation for risk performance management through the ability to continually test and monitor your risk posture. Avoiding and managing risk in the context of business priorities and desired outcomes, is imperative for facilitating productive business conversations with business leaders and executives so they understand the cyber implications of strategic decisions.

Use Compliance as a Foundation for Risk

In a compliance program, controls are simply pass-fail. When the organization is “in compliance,” it has met the minimum requirements under its obligations. But being able to say “we’re compliant” is not the same as understanding to what extent implemented controls have effectively reduced the underlying risks. Compliance programs can be the foundation for establishing effective risk management with just a little more effort. This on-demand webinar, “Effective InfoSec Begins with “Reciprocity” Between Compliance & Risk” tells you more.

As your compliance demands expand and become more complex, it’s hard to prioritize where to invest resources to respond to growing requirements. A better information security program moves on from “check-the-box compliance” to thinking more about risk and business context. That includes how compliance activities impact the broader organization and its strategic direction and goals. This whitepaper provides a roadmap on how to use your compliance program as a foundation for risk management.

Balance Protection and Opportunity

As per Gartner, “there is no such thing as ‘perfect’ security. Businesses must constantly balance cybersecurity risks and investments against business value and outcomes. The goal should be to build a sustainable program that balances the needs to protect with the needs to run the business.” 2

To do this, organizations need to adopt a different approach, one that starts with the business priorities and outcomes they want to achieve. ZenGRC provides a unified, real-time view of risk and compliance-framed around your business priorities-giving you the contextual insight needed to easily and clearly communicate with key stakeholders to make smart, strategic decisions that will protect your enterprise, systems and data, and earn the trust of your customers, partners and employees.

  • 1 Gartner, Optimize Risk, Value and Cost in Cybersecurity and Technology Risk, Paul Proctor, Refreshed 2 August 2021
  • 2 Gartner, Use Value and Cost to Treat Cybersecurity as a Business Decision, Paul Proctor, Srinath Sampath, et al., Published 30 March 2022

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.