Looking back at the past few years, the COVID-19 pandemic has forced technology leaders to drastically rethink their approach to strategic planning. Projects that may have been scoped over months or years required almost overnight deployment. Organizational digital strategies were accelerated and new processes were implemented to support the shift to global remote activities.
But with this acceleration, many organizations took an “implement first, worry about security later” approach. This resulted in an increase in security control gaps and risk blind spots leading to much larger playing fields for threat actors. In short, the threat of cyber attacks has never been higher. Yet despite the increase in threats to their business, just 9% of boards are extremely confident that they’re protecting their organization from cyber attacks 1. Which begs the question, why?
Siloed and Reactive GRC
Historically, compliance and risk teams have operated separately and were designed around a compliance framework or a risk register, but not both. When additional assets are considered, such as third parties, facilities, and infrastructure, they are generally managed by additional teams resulting in siloed activities, duplication of work, and communication gaps. This leaves technology leadership in a reactive role, unable to provide a clear view of risk to their board.
But fear not! You can turn these challenges into an opportunity and go from being the enforcer of security to the influencer of corporate strategy. And it starts with communicating risk in the context of your business.
Consider how you interact with your various stakeholders:
- After an incident
- At the end of a project that needs your approval
- When a big audit is approaching
This presents the image of reactive security and risk management and can lead to a lack of confidence from the Board.
Making the Mindshift
To change the perception of your Board and lead the modern conversation with business stakeholders and executives, you need to approach risk differently. This requires a mindshift! It requires you to think about the business outcome first regardless of your compliance framework or risk register.
- Start by thinking about what is coming up for your organization. Look at your company’s roadmap, objectives, and upcoming goals
- Next, consider what needs to be protected or secured to meet this objective
- Then, document the various elements that will enable or prevent you from meeting those objectives
Example of this mindshift
Example of this mindshift
What is your organization’s goal?
- Increase sales in various markets
How can
you help?
- Protect revenue streams
- Maintain continuity of services
- Secure customer data
What elements will enable or prevent you from meeting those objectives?
- Facilities- data centers, office buildings
- Assets- laptops, servers, even filing cabinets
- Vendors, suppliers, etc.
It’s Not About the Frameworks… or At Least Not Right Away
Notice how nowhere in this conversation did I say “what frameworks do I need to comply with?”
The purpose of conducting compliance activities is not to be compliant with a framework but rather to reduce the risk to your organization.
Putting your business objectives in the center of that allows you to shift the conversation from “have we met the minimum requirements for a compliance framework” to “how well are we safeguarding our most important and valuable assets?” And that mindshift allows you to assess all of the factors that impact the company’s objectives, provide a single pane of glass view of risk in relation to those objectives, and tailor your risk reduction activities to meet them. This ultimately leads to actionable data that can be communicated in business-specific language that will boost board confidence.
Getting Started
Reciprocity® is pioneering a first-of-its-kind approach to IT risk management that ties an organization’s risk directly to its business strategy. This enables security executives to communicate the impact of risk on high-priority business initiatives-leading to smarter, more informed decisions. We’ve put together a list of 6 example Cyber Assurance Programs that can help you get started down this path.
And since the role of the CISO has evolved from a backoffice “doer” to a main communicator and influencer to the C-Suite, it’s important to understand this new dynamic. This conversation is continued in our latest fireside chat with a panel of CISOs. Tune in to this on-demand session to hear their thoughts.
1 https://www.ey.com/en_ph/board-matters/three-cybersecurity-considerations-that-boards-should-address