Shift to Integrated Risk Management and a Risk-Based Lens
Why a compliance-based mindset will fail
With the National Cyber Strategy, the rise of regulations like the CCPA and GDPR, the future for a compliance-based CISO is a patchwork of cross-border regulations that will result in further fractionation of an already siloed cybersecurity organization. Without a common thread or foundation to build a cyber strategy upon and tie all these regulations together, cybersecurity teams will continually be faced with redundant regulations that vary only slightly and have an immense amount of overlap. A compliance-based CISO, though, is bound to an endless list of checkboxes of each new assessment, regardless of its similarity to others.
Furthermore, compliance is a set of bare minimum, broad spectrum, controls that are meant to secure an entire industry or critical aspect to a country. Compliance-focused organizations will end up overspending in areas they don't have to and underspending in areas they do. A compliance mindset ignores the fundamental principle that every organization is different and as a result, it does not make sense to adhere to the same, rigid security requirements alone.
Shift your mindset from compliance to risk
Align your cyber strategy with business outcomes
While it can be easy to look at risk through a technology or IT perspective, you may be fighting an uphill battle presenting this to non-technical executives and team members. Aligning your cyber strategy and investment in tools behind business processes and outcomes allow you to collaborate with other members of the c-suite and the board as a means to further company growth and innovation instead of being seen as a hindrance. Start with asking yourself what risks you’re investing the most time and effort in protecting against. What are the disruptions caused by those risks if left unprotected?
Presenting the risks of the organization in business contexts empowers non-IT executives and shares the accountability to secure the organization beyond technical members. The sharing of knowledge helps the entire organization recognize that security is an organization-wide effort that everyone must be aware of and participate in. This shift also allows non-technical business leaders to make more informed strategic decisions for their own business units within the context of digital risk.
Propagate a risk-aware, risk-engaged culture
The greatest hurdle to overcome in supporting a risk-engaged culture is the foundational principle that there is no such thing as perfect protection. To executives that are uneducated on the subject and non-technical, this concept on the surface can be frustrating. It is critical to start with presenting risk in the context of business outcomes. Risk is a critical piece of the strategic thinking that the c-level and board undertake to steer an organization and they must be effectively informed. It is your job as the CISO to present that information as effectively to them as possible.
Risk is a critical aspect of business strategy
The second tenet of a risk engaged culture is the recognition that with any strategic decision about risk comes residual risk that isn’t addressed under the current strategy. Risk, if applied properly, results in secure growth for the business. Although, to many CISO’s, any residual risk is seen as a failure to do their job. However, a risk-aware culture across the organization can effectively convey the decisions of which risks to address and why. This transparency is critical to ensure that the whole organization knows where it stands.
Effectively report on the risk-based approach
If it’s not measured it’s not managed. Shifting from a checklist/compliance based strategy to a risk-based one will change the way your security organization reports on its success. Read more on what four reports a risk-aware CISO needs here
Handoff of decision making processes to non-technical decision makers
With the buy-in you receive, ensure that non-technical decision makers have all the necessary information to be able to make informed decisions based on the risk their strategy brings.
New tools are necessary to empower a risk-focused organization
GRC to IRM solutions
The transition from a compliance-based organization to risk-based calls for a shift in the technology that empowers your organization as well. GRC solutions are designed specifically to help a compliance-based CISO hit the checkboxes on the new mandates they have to meet. Yet, as we discussed earlier, a compliance-based CISO will be stuck in an endless loop of redundant assessments that vary only slightly in order to meet whatever assessment is currently in progress.
A risk-focused CISO, on the other hand, has a shift in priorities. For them, they are less concerned with checking boxes as they are unifying the risks of their organization within a single pane of glass, capable of being seen throughout the organization. Enter the integrated risk management solution (IRM). An IRM solution aligns with a risk-oriented CISO through six main aspects:
Strategy: enables implementation of a framework as well as iterations based on improvements made over time
Assessment: allows for the breakdown and assignment of risks
Response: tracks the implementation of controls to mitigate risk
Communication and reporting: empowers a CISO to share this information with technical and non-technical stakeholders throughout the organization
Monitoring: allows for the identification and implementation of processes that track set governance objectives, risk ownership and accountability, and compliance with policies and decisions that are set through the governance process and risk associated with those objectives along with the effectiveness of risk mitigation and controls
A shift in strategy requires a shift in technology solution
Why IRM must be truly integrated, and not module-based
Many (most) GRC solutions in the market today are module based. Meaning that the value they deliver is based on the modules that a user purchases and therefore has prioritized as part of their cyber program. A module-based solution cannot support a risk-focused security approach as a module-based solution is built on a different foundational approach: a risk-based strategy requires rapid iteration and increased volumes of transparency across the organization. A module-based solution inherently creates silos within the organization since we as users will divide and conquer based on the modules within the suite. Since a risk-focused cyber program hinges on the idea of a transparent, integrated approach to risk that is not siloed to the security organization. The shift to a unified risk management program demands a solution that offers a single pane of glass view to the organization's risk profile and cybersecurity posture.
The CyberStrong platform is the only sing pane of glass solution that can truly empower your organization to make the shift from compliance-based thinking and GRC to risk-based strategy and IRM.
Don’t be fooled by GRC solutions with IRM messaging
While many GRC platforms have begun to adopt IRM language, don’t be fooled by the use of IRM terminology. IRM and GRC are at odds as they approach the problem of risk mitigation differently: while a GRC solution may have the aspects of IRM (Gartner: operation risk management, vendor risk management, corporate compliance and oversight, business continuity management, audit management, enterprise legal management, digital risk management) as modules, a GRC based solution cannot empower a security team to make the shift to a risk-focused mindset. Module-based solutions simply will not allow it. What a true IRM solution is, and a risk-based strategy demands, is a unified platform that allows for transparency across all six facets of IRM as well as the ability to effectively communicate that information to non-technical stakeholders.
The shift from a compliance-based mindset to a risk-based strategy is an iterative process. It doesn’t happen overnight. As more business processes move to digital and secondary competencies are outsourced, compliance is no longer sufficient. With security becoming increasingly critical, not just from an internal perspective but from a buying perspective, a risk-based strategy is imperative to future business success. As we’ve seen it requires both a shift in mindset and culture as well as new technology solutions to empower and sustain those changes.
Making the shift to IRM? Read more about the CyberStrong platform here.