The security industry spent decades propagating the myth that risk is bad, and you must eliminate it — but this truth is…
You see, there are various “lenses” through which to view risk: rose-colored, blinders, magnifying and crystal clear. After presenting this concept at an ISACA-sponsored webinar, I received many questions and comments about putting this into practice. Several attendees asked for recommendations for shifting from a compliance-based culture to a risk-first one.
Below are my 5 tips for reframing risk and converting it into your organization’s business advantage.
Tip #1. Know the Flaws of Traditional Risk Management
We all know the importance of risk management, but the mainstream frameworks and guidance have a few significant flaws.
They don’t require stakeholder risk education, fail to highlight the significance of contextualizing risk and overemphasize risk reduction as the primary treatment plan. As a result, risk and security professionals are scrambling to communicate the value of their programs.
Tip #2. Build Stakeholder Engagement
Depending on the organization’s size — infosec teams may communicate risks to various stakeholders: the board of directors, an audit committee or external auditors (to name a few). These reports are usually annual and focus on metrics and statistics. With this approach, those stakeholders only get a portion of the information. When this happens, you may see:
- Organizational leadership circumventing responsibility or accountability
- Risk communication causes panic and fear
- A high number of risks are accepted
- Misalignment with third parties (providers, customers or partners).
To combat this, consider implementing a risk awareness education program. Many companies already do security training regularly, so why not expand it to include risk?
As part of this, clearly defined definitions, scoring methodologies and workflows will aid comprehension. Does everyone in your organization know what a risk is? Are you communicating the relationship between risks, vulnerabilities and controls? Is there an agreed-upon risk tolerance? Taking the time to explain risk management, the various roles and responsibilities and how your organization conducts it ensures everyone is on the same page.
In addition, consider how often you communicate risk to those stakeholders. The concepts of annual risk assessments and reporting perpetuate the misconception that risk is a point-in-time process. When you shift to an always-on risk model, you also change to always-on reporting. Building transparency into your risk program ensures stakeholders are engaged and can make informed decisions.
Tip #3. Focus on the Money
Organizational leaders operate in a world of cost and value. They need to understand the risk associated with their business priorities to understand the importance of cyber risk investments and prioritize accordingly.
During the ISACA webinar, one attendee asked what the top 3 risks an audit committee should consider are. The answer to this is unique and specific to each organization. Risk tolerance varies from one organization to the next — as do the top risks.
Instead of comparing your risk to other companies, focus on your business’s critical areas and how risk impacts each. This mind shift will surface unseen risks in the context of your business.
Consider a company that sells 3 products: A, B and C. Assessing the risks associated with each product individually allows you to see the risk differently. Ask questions like…
- What are the unique threats?
- Are there any known vulnerabilities?
- What compliance requirements does each product have, and are they the same for all?
- Which providers support the development, and what is the risk of those providers?
Doing this results in 3 unique risk profiles for each of the products.
Now it’s time to prioritize!
Looking at the risk profiles side-by-side, you can identify the highest risk areas for each product and utilize the percentage of impacted revenue as a prioritization mechanism. Comparing the risk to profit enables communication focused on determining the right level of protection. When you do this, you can say:
- We can do these things
- To help manage these risks
- So we can protect this amount of revenue.
This concept isn’t limited to products. Consider applying the same methodology to critical business units, markets or customer bases.
Tip #4. Diversify Risk Treatment
Have you ever heard the expression, “if everything is a priority, nothing is a priority“? It stems from the concept that if all elements have comparable importance, you cannot prioritize them appropriately. The same applies to risk.
Risk scoring methodologies differentiate risk by severity, such as critical, high, moderate and low. However, the severity doesn’t consider the context or impact on specific business priorities or objectives. Without that context, selecting the appropriate risk treatment plan is difficult. Not all high risks need fixing.
Framing risk around something your business cares about enables more informed risk treatment selection. In this case, the organization may accept the risk associated with Product C because it only brings in 10% of its revenue. Considering Product A equates to 65% of sales, the organization may prioritize its risk reduction activities over the other products. But you can’t effectively select a risk treatment plan without communicating the impact to the business.
Adjusting metrics and communication to highlight the risk associated with various organizational priorities ensures treatment options offer the right level of protection.
Tip #5. Build to Scale
The most important thing to remember as you’re adjusting your risk lens is the scalability of your risk management program. Don’t overcomplicate your risk-scoring methodology!
Many companies already have the building blocks of an always-on-risk program; they just haven’t put the pieces together because they can’t see them all – until now.
The RiskOptics ROAR Platform empowers organizations to see, assess and act on risk using the compliance activities they are already doing.
Our unique approach organizes your activities into Optics, enabling side-by-side views of risk in the context of your business priorities. Evidence can be automatically collected and shared across framework monitors. And our expertly designed risk calculation algorithm dynamically adjusts your risk scores with each new control assessment.
Want to see it in action? Sign up for your FREE demo here.