Maksim Kabakou - Fotolia
Security Think Tank: Embed security professionals in your risk strategy
How can security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision-making?
Successful businesses are usually the ones with an agreed unified strategic plan. This is imperative when it comes to identifying, managing and mitigating enterprise risk. Effective risk management comes from all the different facets of the organisation working and cross-communicating so that future risks can be predicted and mitigated.
In an insurance company, for example, this helps to ensure that fraud and high-value claim events don’t slip under the radar or catch the organisation off-guard and without the resources and capital on hand to deal with them. Claims assessors feed information back in about the types of claims they are accessing to identify patterns.
This is the case for most industries, and can be seen across market and economic analysts, weather forecasters, surveyors, car safety experts and many more. They all provide visibility and insights that form an integrated approach to risk management and deliver a stronger, safer and more viable business for the immediate future, as well as the medium to long term.
The same operational requirements apply to cyber security professionals in an IT department or any other business unit. Yet, many information security practitioners are not as heavily embedded into an organisation’s risk strategy as their counterparts from the financial, personnel, manufacturing, logistics and marketing sides of an organisation.
The reason for this is often a matter of historic process, with risk management being focused on tangible physical attributes (money, people, materials, trucks, and so on), when really the notion of enterprise risk needs to be widened to encompass both strategic risk (money, people, materials, trucks, the impact of insuring homes in a known hurricane hot spot) and opportunistic risk (hacking, data loss and theft, IT compliance failure, information disclosure, disgruntled staff deleting key files, and so on).
Deshini Newman, (ISC)²
For any organisation wanting to make integrated risk management work today, its information security practitioners need to be integrated into the heart of the risk management reporting and evaluation process. They simply cannot be downstream of it, and still be expected to operate quickly and proactively when a security concern manifests itself.
As analyst firm Gartner states: “An integrated risk management strategy reduces siloed risk domains and supports dynamic business decision-making through risk data correlations and shared risk processes.”
Cyber security professionals are very well placed to add value to integrated risk management and rapid business decision-making in their organisations.
Reporting is paramount, but so is clear governance, education and clarity of understanding. Security professionals need to ensure that other, non-IT based parts of the business can understand the context of the cyber security risk in discussion, as well as relate to the broader and theoretical data and compliance risks being identified and communicated.
This is important because security professionals are focused on potential issues that are only just on the horizon – be that new approaches in security defence and illicit attack, early discussion about new legislation, or simply best practice from elsewhere in the business world that hasn’t made it way to your business yet – as well as the actual threats, issues and compliance requirements of the moment.
Similarly, information security professionals need a clear vertical view of risk down through the business, and that means being closely embedded with other teams to understand the operational and coalface challenges, be that technology, process or regulatory.
One of the greatest pitfalls of risk management is not maintaining a unified approach to actioning strategy, policy and process. So, document everything and make a plan, revise that plan, communicate it to every stakeholder in the process and, most importantly, follow it but be prepared to change your plan if the needs of the business change.
Read more about integrated risk management
- Turnkey Consulting’s Simon Persin considers the operational approach to integrated risk management.
- To be sufficiently effective and efficient, the ability of organisations to discover, manage and mitigate digital risk requires greater integration between internal functions, says Ovum’s Maxine Holt.