There’s a lingering belief that these are IT management concerns. That lingering belief is founded upon a “perceived reality” of a business operating in an environment where IT was little more than a contributing discipline to complete tasks and deliver efficiency. It made some narrow sense in a world free of cyber anything, pre-internet, where digital transformation, mobile devices, bots, mobile devices, malicious actors, malware, ransomware, and threats from hostile government actors were relegated to science fiction thrillers. None of us live in that world today. And burying our collective heads in a beach will not change that. Nor will glasses tinted any shade of rose. Cybersecurity, and its related risk management activities are a management concern. They are part of comprehensive oversight, governance, guidance, and strategic leadership. So, how well does your company’s culture and organizational structure reflect that contemporary reality?
Where Do Your CIO and CISO Sit?
Snarky responses aside, access to the rest of your company’s executive team is an important aspect and attribute of your cyber risk management and security program. If your organization’s structure assigns them to report to other “C” level roles you’ve established a potential barrier to clarity, transparency, and responsiveness. This is not in any way a slight to any other C-level roles, but a simple statement of operational, procedural, and behavior fact. It also sends a clear message to the rest of the organization that the importance of security and risk management is a secondary concern. That may create an additional hurdle for risk and security initiatives as middle managers place more resources and attention on the requests from those “higher level” executives, relegating ones from your CISO and CIO according to their organizational pecking order. Giving your CIO and CISO a seat at the executive table makes a number of high value contributions to your company:
- Enables them to establish and validate their roles as important strategic components to your company’s success
- Communicates the importance of security, cyber risk, and technology to the entire firm
- Gives your CIO and CISO firsthand exposure to these other disciplines, issues, and management concerns so they can participate in developing strategy and measuring achievement of business goals and success
- Affords open discussion between all C-level executives of how cyber risk and security, as well as technology contribute to and add value to the company’s business achievement.
- Reinforces and encourages representation of technical, security, and risk matters in terms of business impact rather than esoteric tech-eze.
- Affords direct communication and responsiveness to address and respond to incidents and issues with greater timeliness and efficiency, strengthening overall business resiliency during unforeseen events and incidents.
Leadership By Enablement
Often, when we think about goals, achievement, and leadership, it’s from a fairly internal perspective, answering the question “what do I want to do?”. Let me offer an alternative perspective. Consider the answer to the question “What do we need to be successful?” The answer is often fairly broad. But drilling into those generalized answers quite often will yield presumptions of reliability, persistence, accuracy, validity, and resilience, to name some attributes. These may depend upon processes, tools, technologies, people, partners, and even regulators or providers of basic infrastructure such as transportation, energy, or communications. Many of those attributes, often just assumed to always be reliably present, can and often are the victims of cyber attacks, weak security, and lax attention to practices that would otherwise thwart or at least minimize the risk of their compromise. Information technology and security leaders are well attuned to the vulnerabilities, threats, and presumed reliable presence other leaders count upon to manage and deliver their own contributions to business goals and achievement. By placing them into the discussions where plans and direction are being developed at a senior executive level, businesses enrich and empower planning with a fuller view of issues, opportunities, and a more complete understanding of the resources necessary to maximize the opportunity to achieve outcomes.
Who Manages Your GRC?
The CISO and CIO roles are not the do-all end points of everything related to cyber risk and security. A governance, risk and compliance (GRC) manager is more than someone responsible for administering a software tool, conducting risk assessments and reporting findings. Often this can be a leadership role supporting those C-level executives and others, one that is responsible for the design, development, staffing and operation of enterprise-wide delivery of many security and risk related services and processes. Often, this role will take a lead in delivery of security awareness training—content and delivery. Incumbents will also participate with other compliance managers and management to assure current and upcoming products and services meet established obligations. This may include interactions with external auditors, regulators, and third parties. Your GRC manager is at the focal point of your compliance, risk, and governance processes. Often s/he will be the primary author of your governance practices, compliance efforts, manage risk assessments, and serve as a valued participant in the implementation, delivery, and monitoring of data protection, authentication, recovery and resiliency programs.
There are two more questions, whose answers help define the extended scope of your risk, security, compliance and governance roles:
- Who is responsible for third party risk management (TPRM)?
- Who is responsible for risk, governance, and compliance oversight when acquisitions are under consideration?
The ideal answers should be your GRC manager, under the executive guidance of a CIO or CISO who is part of the executive team, and has visibility to the Board of Directors. But is this the case in your firm? There are many moving parts to TPRM. Certainly, your procurement practices are key components. On and off boarding procedures necessarily entail information exchanges to assure proper vetting of third party candidates. This goes well beyond fiscal health, service and product quality, timeliness, and contract negotiation. How well integrated and informed are these practices by your risk, information security, and compliance expertise within your company? Is reliance upon critical partners a foundation of your resiliency, recovery, and incident management strategies? How do these processes and programs integrate to assure your leadership that your third party engagements preserve, and maybe even enhance presumptions of reliability, persistence, accuracy, validity, and resilience where these third party relationships integrate with your operations? Your procurement professionals, no matter how experienced, would gain value and support from the integration and engagement with risk, security, regulation and compliance expertise offered through GRC leadership.
And Then There’s The GRC Platform
A GRC platform is a critical technology tool that enables and strengthens these business and operational practices. For many who have followed these blogs this assertion will seem obvious, as will notations that GRC platforms facilitate data integration, validation, and reporting. There are some other, equally important but less recognized opportunities utilizing a GRC platform makes easier. A GRC is well suited to store, maintain, and serve as a consolidation point for compliance, risk and related process and remediation project data. Feeds from incident management, audits, compliance reviews, remediation projects, risk assessments, and more can all reside logically within its data stores. Using a GRC as a single point authoritative source for such data also simplifies data security, validity, distribution, and resiliency practices. Whether the system relies upon cloud storage, or more traditional means, there are tools and services available to assure data management and integrity. Much of the content of a GRC system is likely sensitive and would be considered highly confidential. Having this consolidation makes implementation and utilization of technologies such as data loss prevention (DLP), tighter multifactor authentication and access management, and backup and restoration services more economical to implement and operate.
Analysis, data mining, and reporting are facilitated by consolidating related GRC data streams onto the stores of your GRC platform. Data analysis tools can easily relate, and also identify discrepancies between alternative data views of specific operating practices or organizations. You can also explore specific controls or risks to see where recommended practices are consistently ignored. Doing so points out potential problems with control design, implementation, or understanding which afford focused and positive remediation strategies. Control management is an important aspect of risk management, one that’s often overlooked in binary pass/fail scoring. That’s why risk registers are an important design element of your risk and security programs.
Don’t Forget The Risk Register
Remember that your risk program needs to identify, assess, mitigate, and monitor risk to demonstrate “management”. Having a list of risks, whether identified through statements, measurements of control adherence, findings of audits or compliance reviews, or more, offers a scaffold upon which to design and construct your risk program. It’s a tool that presents context, direction, and definition, while also useful to manage scope and measure maturity. Risk registers aren’t static. They need to be elastic and flexible to reflect the changing nature of your business and the threat environment you operate within.
The risk register’s content is something your own senior risk and security leadership must work to explain to other senior business leadership and gain consensus to its alignment with your company’s goals and mission. This discussion needs to be an ongoing dialogue, and the exchange of ideals, opinions, priorities, and concerns is one reason why senior information technology, risk, and security professionals need a seat at executive leadership meetings. These experts need to understand the perspectives of the business from the views of operations, finance, marketing, compliance, product and brand management, and more. Likewise, those business leaders need to understand the integration of their own processes with those of their technology risk and security peers.
Without question, alignment of business goals with your risk register is a key foundational step to building, developing, and managing a comprehensive risk program that’s relevant and effective. But more on that in an article to come.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.