This article first appeared on ISACA Industry News on January 31st 2023.

The beginning of a new year is the perfect time to reflect on the past year and assess any industry trends or upcoming events that could impact organizations. This can include evaluating the threat landscape, reviewing risk posture, or crafting a plan to better protect the enterprise in the future.

It is no secret that 2022 was marred by ransomware, data breaches, and exploitations, leaving boards of directors (BoDs) and organizational leaders asking, “Are we doing enough to protect ourselves?”

See also

[Fireside Chat] Changing Role of the CISO

What Kind of Glasses Are You Wearing?

Risk and security professionals need to be prepared to respond to tough questions. But all too often, risk communication is focused on how an organization is being protected rather than how well it is being protected. This is largely due to the type of metaphorical glasses worn within the organization.

Rose-Colored Glasses

For anyone unfamiliar with the expression, someone who is said to be wearing rose-colored glasses perceives events in an optimistic but potentially naive manner. Rose-colored glasses are generally worn by risk professionals who focus on compliance and the achievement of certifications. Their focus is on passing an audit. When this is achieved, it is conveyed to stakeholders that the organization has satisfactory controls and everyone celebrates a job well done.

Painting this rosy picture projects the illusion that compliance equals security and that the enterprise has no sources of risk to worry about. However, just because controls are effective, it does not mean that the organization’s risk has been sufficiently reduced. Wearing rose-colored glasses misleads organizational leaders to believe that everything is fine. But this means that if an incident occurs, they could be caught off guard and blame their risk team for the perceived lapse.

Painting this rosy picture projects the illusion that compliance equals security and that the enterprise has no sources of risk to worry about.

Blinders

Wearing blinders is similar to wearing rose-colored glasses. However, in this case, it is the organizational leaders who wear them. Despite best efforts to communicate the context and need for investments in security and risk reduction, decision-makers might ignore or devalue such initiatives. From their standpoint, as long as the organization can pass an external audit or obtain a compliance certification, they are satisfied. Those wearing blinders often do not see or understand the need to expand or invest in security.

Magnifying Lenses

In contrast to the lack of scrutiny described in the previous examples, those using magnifying lenses often overanalyze security and risk information. They research incidents that have taken place at other organizations in hopes that understanding the high-level details on security and risk reduction activities will be enough to prevent their enterprise from becoming the next media headline.

While this level of scrutiny is not necessarily bad, it is not always healthy. Organizational leaders use magnifying lenses when they lack confidence that their organization is protected. They are hyper-focused on the details of nonconformance, risk treatment plans, and the latest threats and vulnerabilities because they do not understand what is being done to reduce risk in their organization.

Communication Breakdowns Lead to Mistrust

In a 2021 study, 77% of respondents noted that they saw an “increase in the number of disruptive attacks, such as ransomware, over the last 12 months.”1 But another study captured that “just 9% of boards declared themselves extremely confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major cyber-attacks.”2 This discrepancy is largely due to how risk professionals communicate with organizational leaders.

While compliance-focused metrics can be valuable, they do not always provide stakeholders with sufficient, meaningful, or actionable data. Audit reports are derived from point-in-time assessments that are outdated almost as soon as they are reported.

Further, in many cases, control sample testing is done, which ignores the likelihood of nonconformities occurring elsewhere within the population. And all too often, audit reports are provided to stakeholders without context, background, or explanations of how the results impact the enterprise. The result is unprepared organizational leadership with a false sense of security and no urgency to invest in security. That leaves organizations highly susceptible to attack.

While compliance-focused metrics can be valuable, they do not always provide stakeholders with sufficient, meaningful, or actionable data.

Put On Your Risk-Colored Glasses

In 2023, it is time for a new pair of glasses. Organizations must shift from a compliance-focused approach to a more comprehensive risk program that aligns compliance, cybersecurity, and risk management activities with business goals and objectives.

When one focuses on organizational objectives and takes the time to understand the desired strategic outcomes, one can assess all factors that impact those objectives, automate assessments to determine if risk is being sufficiently reduced in relation to those objectives, and tailor risk reduction activities to accelerate business.

With this approach, the organization is no longer conducting assessments for the sake of obtaining a certification, it is using the information captured from control assessments to recommend risk reduction activities in support of business objectives.

Those who wear risk-colored glasses collaborate with organizational leaders to understand strategic objectives and identify critical assets and processes that must be secured to achieve those objectives. Rather than merely focusing on meeting compliance requirements, the focus is on assessing and mitigating the risk to the business.

What Do Risk-Colored Glasses Show?

Consider an organization focusing on increasing revenue by expanding outbound sales in new territories in the European market. A compliance-focused organization might conduct an internal assessment of EU General Data Protection Regulation (GDPR) requirements, determine if current controls are in place to meet them, and report metrics indicating the organization is compliant.

However, a risk-focused enterprise begins by assessing the unique threats within the region and determining the risk factors that could prevent the organization from conducting sales in Europe. For example, supporting a growing customer base could result in a greater demand for resources and elevate the risk of a business disruption.

This could lead to reputational damage and/or canceled contracts and prevent the organization from achieving success in Europe. To reduce this risk, the organization could deploy redundant infrastructure in the European Union and utilize local utility providers to support highly available and more fault-tolerant services for their customers.

Although this initiative may not be required to be compliant with GDPR, investing in the implementation of this control would reduce the risk of lost revenue in the future and enable the organization to meet its objective.

Those wearing risk-colored glasses help their organizational leaders make decisions based on the potential impact on business objectives and priorities. This allows those risk professionals to report realistic data in the context of the business. But they can also utilize these glasses when approaching compliance.

As noted, there is high risk associated with relying on annual audits for security assurance. Instead of relying on point-in-time audits with limited sample sizes, those wearing risk-colored glasses focus on automating evidence collection and control assessments. This enables full population testing to be conducted continuously throughout the year.

And given the inverse relationship between control efficacy and residual risk, automating these activities allows risk professionals to utilize the compliance activities they are already doing to create an always-on risk management program.

Wearing risk-colored glasses empowers risk professionals to proactively monitor and communicate risk in a context their organization will understand. Viewing business outcomes from this perspective enables organizational leadership to prioritize investments and agree on a suitable level of protection. Thus, they are provided with the necessary information to make decisions and answer the question, “How well are we protected?”

The ZenGRC

The ZenGRC can help you shift to wearing risk-colored glasses. ZenGRC starts with your business initiative and then shows the risks as they relate to that priority. That helps you see risk at a higher, more valuable level and gives you the insight to communicate risk effectively with business leaders.

Continue learning about communicating risk in business context in my blog, “Sure-fire Way to Boost Board Confidence: Communicate Risk in Their Language.”

References

1 EY, Global Information Security Study 2021, United Kingdom, 2021

2 EY, Global Board Risk Study, United Kingdom, 2021