CyberSaint Blog | Expert Thought

How to Establish an Integrated Risk Management Methodology

Written by Ethan Bresnahan | October 11, 2018

With the National Cyber Strategy and the rise of regulations, the future for a compliance-based CISO is a patchwork of cross-border regulations that will result in further fractionation of an already siloed cybersecurity organization. Without a common set of practices or foundation to build a cyber strategy upon and tie all these regulations together, cybersecurity teams will be continually faced with redundant regulations that vary only slightly and have an immense amount of overlap. A compliance-based CISO, though, is bound to an endless list of checkboxes for each new assessment, regardless of its similarity to others.

Furthermore, compliance is a set of bare minimum, broad-spectrum, controls that are meant to secure an entire industry or critical aspect to a country. Compliance-focused organizations will end up overspending in areas they don't have to and underspending in areas they do. A compliance mindset ignores the fundamental principle that every organization is different, and as a result, it does not make sense to adhere to the same, rigid security requirements alone.

Align Your Risk Management Methodology with Business Outcomes

While it can be easy to look at risk management activities from technology or IT perspectives, you may be fighting an uphill battle presenting this to non-technical executives and team members. Aligning your cyber strategy and investment in tools with business processes and outcomes allows you to collaborate with other members of the c-suite and the board. This alignment shifts the stance of cyber from a hindrance to a means to effectively achieve objectives, furthering business growth and innovation. Start by analyzing your most recent risk assessment and asking yourself what identified risks you’re investing the most time and effort in mitigating. What are the disruptions caused by those risks if left unprotected?

Presenting the risks of the organization in a business context empowers non-IT executives and opens up the way the organization assesses and understands risk beyond just technical members. The sharing of knowledge helps the entire organization recognize that security is an organization-wide effort that everyone must be aware of and participate in. This shift also allows non-technical business leaders to make more informed strategic decisions for their own business units within the context of digital risk.

Risk Awareness is Part of Risk Management

The greatest hurdle to overcome in supporting a risk-aware culture is the foundational principle that there is no such thing as perfect protection. To executives that are uneducated on the subject and non-technical, this concept on the surface can be frustrating. As such, it is critical to start by presenting risk in the context of business outcomes. Risk is a critical piece of the strategic thinking that the C-level and board undertake to steer an organization and they must be effectively informed. It is your job as a security leader to communicate the level of risk to them as effectively as possible.

Risk is a critical aspect of business strategy

The second tenet of a risk-engaged culture is the recognition that with any strategic decision about risk comes a residual risk that can't be addressed under the current cybersecurity strategy. Effective risk management processes that roll up into the overall enterprise risk profile result in secure growth for the business. Although, for too many CISOs any residual risk is seen as a failure to do their job. However, a risk-aware culture enables the organization to effectively convey the decisions of which risks to address and why. This transparency is imperative to ensure that the whole organization knows where it stands.

Effectively report on the risk-based approach

If it’s not measured, it’s not managed. Shifting from a checklist/compliance-based strategy to an integrated approach to risk management and compliance will change how your security organization reports on its success. Read more on what four reports a risk-aware CISO needs here.

Inform Non-technical Leaders of the Risk Management Methodology 

With the buy-in you receive, ensure that non-technical decision-makers have all the necessary information to be able to make informed decisions based on the risk their strategy brings.

The Tools Necessary For A Risk-Focused Organization

GRC to IRM solutions

The transition from a compliance-based organization to a risk-based organization calls for a shift in the technology that empowers your organization as well. Governance risk and compliance (GRC) solutions are designed specifically to help a compliance-based CISO hit the checkboxes on the new mandates they have to meet. Yet, a compliance-based CISO will be stuck in an endless loop of redundant assessments that vary only slightly to meet whatever assessment is currently in progress.

A risk-focused CISO, on the other hand, has different priorities. They are less concerned with checking boxes as they are unifying the risks of their organization within a single pane of glass, capable of being seen throughout the organization. Enter an integrated risk management solution. An integrated risk management (IRM) solution aligns with a risk-oriented CISO through six main aspects:

  • Strategy - enables implementation of a framework as well as iterations based on improvements made over time
  • Assessment - allows for the breakdown and assignment of risks
  • Response - tracks the implementation of controls to mitigate potential risk
  • Communication and reporting - empowers a CISO to share this information with technical and non-technical stakeholders throughout the organization
  • Monitoring - allows for the identification and implementation of processes that track set governance objectives, risk ownership, and accountability. Monitor compliance with policies and decisions that are set through the governance process and risk associated with those objectives along with the effective implementation of risk mitigation and controls

An Integrated Approach to Risk Management Requires an Integrated Solution

Why IRM must be truly integrated, and not module-based

Many (most) GRC solutions in the market today are module-based. Meaning that the value they deliver is in separate modules that a user purchases and therefore has prioritized as part of their cyber program. IRM and GRC solutions are inherently at odds given that GRC platforms and IRM solutions are built differently: module-based platforms are designed and priced for checkbox compliance, not the rapid iteration and increased volumes of transparency across the organization of IRM. A module-based solution inherently creates silos within the organization since we as users will divide and conquer based on the modules within the suite. Since a risk-focused cyber program hinges on the idea of a transparent, integrated approach to risk that is not siloed to the security organization. Implementing an integrated risk management program demands a solution that offers a single pane-of-glass view of the organization's risk profile and cybersecurity posture. The shift to a risk-based culture and enabling technologies can be challenging. With the increased concern at the Board and CEO level, innovative technology and visibility into cyber posture are central to the effective improvement of the decision-making process. 

The CyberStrong platform is the only single pane of glass solution that can truly empower your organization to make the shift from compliance-based thinking and GRC to risk-based strategy and IRM.

Don’t be fooled by GRC solutions with IRM messaging

While many GRC platforms have begun to adopt IRM language, don’t be fooled by the use of IRM terminology. IRM and GRC are at odds as they approach the problem of risk mitigation differently: while a GRC solution may have the aspects of IRM (Gartner: VRM, CCO, BCM, AM, ELM, DRM) as modules, a GRC-based solution cannot empower a security team to make the shift to a risk-focused mindset. Module-based solutions simply will not allow it. We are seeing “integrated GRC solutions”, we would say examine how the product enables your organization - does it integrate or does it silo? What a true IRM solution is, and a risk-based strategy demand is a unified platform that delivers an integrated view of all cyber security, risk, and privacy activities across all facets of IRM as well as the ability to effectively communicate that information to non-technical stakeholders.

Start Now

The shift from a compliance-based mindset to a risk-based approach to compliance and risk management strategy is an iterative process. It doesn’t happen overnight. As more business processes move to digital and secondary competencies are outsourced to the supply chain, compliance is no longer sufficient. With security becoming a board-level concern, not just from an internal perspective but from a buying perspective, a risk-based strategy is imperative to future business success. Further, we are seeing strong security and privacy emerge as competitive advantages in both the business and consumer marketplaces. As we’ve seen, it requires both a shift in mindset and culture as well as new technology solutions to empower and sustain those changes.

Read more about the value of an integrated risk management approach and the critical capabilities of an IRM solution in the CyberSaint IRM Solution Buying Guide.