Why a compliance-based mindset will fail
With the National Cyber Strategy, the rise of regulations like the CCPA and GDPR, the future for a compliance-based CISO is a patchwork of cross-border regulations that will result in further fractionation of an already siloed cybersecurity organization. Without a common set of practices or foundation to build a cyber strategy upon and tie all these regulations together, cybersecurity teams will be continually faced with redundant regulations that vary only slightly and have an immense amount of overlap. A compliance-based CISO, though, is bound to an endless list of checkboxes of each new assessment, regardless of its similarity to others.
Furthermore, compliance is a set of bare minimum, broad spectrum, controls that are meant to secure an entire industry or critical aspect to a country. Compliance-focused organizations will end up overspending in areas they don't have to and underspending in areas they do. A compliance mindset ignores the fundamental principle that every organization is different and as a result, it does not make sense to adhere to the same, rigid security requirements alone.
Shift your mindset from compliance to risk
Align your cyber strategy with business outcomes
While it can be easy to look at risk through a technology or IT perspective, you may be fighting an uphill battle presenting this to non-technical executives and team members. Aligning your cyber strategy and investment in tools with business processes and outcomes allows you to collaborate with other members of the c-suite and the board. This alignment shifts the stance of cyber from a hindrance to a means to effectively achieve objectives, furthering business growth and innovation. Start with asking yourself what identified risks you’re investing the most time and effort in mitigating. What are the disruptions caused by those risks if left unprotected?
Presenting the risks of the organization in a business context empowers non-IT executives and shares the accountability to secure the organization beyond technical members. The sharing of knowledge helps the entire organization recognize that security is an organization-wide effort that everyone must be aware of and participate in. This shift also allows non-technical business leaders to make more informed strategic decisions for their own business units within the context of digital risk.
Propagate a risk-aware, risk-engaged culture
The greatest hurdle to overcome in supporting a risk-aware culture is the foundational principle that there is no such thing as perfect protection. To executives that are uneducated on the subject and non-technical, this concept on the surface can be frustrating. As such, it is critical to start with presenting risk in the context of business outcomes. Risk is a critical piece of the strategic thinking that the c-level and board undertake to steer an organization and they must be effectively informed. It is your job as a security leader to present that information to them as effectively as possible.
Risk is a critical aspect of business strategy
The second tenet of a risk engaged culture is the recognition that with any strategic decision about risk comes residual risk that can't be addressed under the current strategy. Effective risk management processes result in secure growth for the business. Although, for too many CISO’s any residual risk is seen as a failure to do their job. However, a risk-aware culture enables the organization to effectively convey the decisions of which risks to address and why. This transparency is imperative to ensure that the whole organization knows where it stands.
Effectively report on the risk-based approach
If it’s not measured it’s not managed. Shifting from a checklist/compliance based strategy to an integrated view one will change the way your security organization reports on its success. Read more on what four reports a risk-aware CISO needs here.
Handoff of decision making processes to non-technical decision makers
With the buy-in you receive, ensure that non-technical decision makers have all the necessary information to be able to make informed decisions based on the risk their strategy brings.
The tools necessary For a risk-focused organization
GRC to IRM solutions
The transition from a compliance-based organization to risk-based calls for a shift in the technology that empowers your organization as well. Governance risk and compliance (GRC) solutions are designed specifically to help a compliance-based CISO hit the checkboxes on the new mandates they have to meet. Yet, a compliance-based CISO will be stuck in an endless loop of redundant assessments that vary only slightly to meet whatever assessment is currently in progress.
A risk-focused CISO, on the other hand, has different priorities. They are less concerned with checking boxes as they are unifying the risks of their organization within a single pane of glass, capable of being seen throughout the organization. Enter the integrated risk management solution (IRM). An IRM solution aligns with a risk-oriented CISO through six main aspects:
- Strategy - enables implementation of a framework as well as iterations based on improvements made over time
- Assessment - allows for the breakdown and assignment of risks
- Response - tracks the implementation of controls to mitigate risk
- Communication and reporting - empowers a CISO to share this information with technical and non-technical stakeholders throughout the organization
- Monitoring - allows for the identification and implementation of processes that track set governance objectives, risk ownership and accountability, and compliance with policies and decisions that are set through the governance process and risk associated with those objectives along with the effectiveness of risk mitigation and controls
A shift in strategy requires a shift in technology solution
Why IRM must be truly integrated, and not module-based
Many (most) GRC solutions in the market today are module based. Meaning that the value they deliver is in separate modules that a user purchases and therefore has prioritized as part of their cyber program. Integrated risk management and GRC solutions are inherently at odds given that GRC platforms and IRM solutions are built differently: module based platforms are designed and priced for checkbox compliance, not the rapid iteration and increased volumes of transparency across the organization of IRM. A module-based solution inherently creates silos within the organization since we as users will divide and conquer based on the modules within the suite. Since a risk-focused cyber program hinges on the idea of a transparent, integrated approach to risk that is not siloed to the security organization. The shift to a unified risk management program demands a solution that offers a single pane of glass view to the organization's risk profile and cybersecurity posture. The shift to a risk-based culture and enabling technologies can be challenging. With the increased concern at the Board and CEO level, technical and business leaders need technologies that improve decision making processes and visibility into cyber posture.
The CyberStrong platform is the only single pane of glass solution that can truly empower your organization to make the shift from compliance-based thinking and GRC to risk-based strategy and IRM.
Don’t be fooled by GRC solutions with IRM messaging
While many GRC platforms have begun to adopt IRM language, don’t be fooled by the use of IRM terminology. IRM and GRC are at odds as they approach the problem of risk mitigation differently: while a GRC solution may have the aspects of IRM (Gartner: VRM, CCO, BCM, AM, ELM, DRM) as modules, a GRC based solution cannot empower a security team to make the shift to a risk-focused mindset. Module-based solutions simply will not allow it. We are seeing “integrated GRC solutions”, we would say examine how the product enables your organization - does it integrate or does it silo? What a true IRM solution is, and a risk-based strategy demands, is a unified platform that allows for transparency across all six facets of IRM as well as the ability to effectively communicate that information to non-technical stakeholders.
The shift from a compliance-based mindset to a risk-based approach to compliance and risk management strategy is an iterative process. It doesn’t happen overnight. As more business processes move to digital and secondary competencies are outsourced to the supply chain, compliance is no longer sufficient. With security becoming a board-level concern, not just from an internal perspective but from a buying perspective, a risk-based strategy is imperative to future business success. As we’ve seen, it requires both a shift in mindset and culture as well as new technology solutions to empower and sustain those changes.
Read more about the value of an integrated risk management approach and critical capabilities of an IRM solution in the CyberSaint IRM Solution Buying Guide.