Does Your Organization Make Risk-Aware Decisions?

Michael Wright is an experienced Chief Information Security Officer with 15 years’ experience in information technology and information security with a focus on regulatory cybersecurity compliance and risk management.  Michael previous role was as Chief Security Officer for TECH LOCK, Inc from 2009 – 2018. He is currently a CISO & Cybersecurity Consultant. This article was originally published on LinkedIn and is republished here with permission.

Risk Management Series – Part 1 of 4

Welcome to the first in a four-part series of articles about risk management. This article will set the foundation for those that will follow by highlighting three common challenges that organizations run into with regards to risk management. The subsequent three articles will explore each item in more detail and include specific recommendations you can take back to your organization for improvement.

Challenge #1: Security at all Costs

Mordac, the Preventer of Information Services

Like information security auditors, a common tongue-in-cheek criticism of risk practitioners is that they sometimes seem to believe that their role is to make the business so secure that it can’t adequately function. Whether or not this is warranted, it’s important for executive management to ensure that the person driving their enterprise risk framework aligns their risk management activities with the organization’s risk appetite, and not the other way around.

Challenge #2: Check the Box and See You Next Year

Image of control RA-3 from NIST SP800-53 rev.4 with checkmark superimposed.

Many organizations conduct an annual risk assessment because they’re required to by a regulation, a standard, a client, or shareholders. This annual risk assessment might result in a spreadsheet or report that lists identified risks and management’s response to them. The risk management activities typically end there (at least until the next annual risk assessment is due). However, unless risk management activities are ingrained into everyday business operations and an effective risk awareness program is implemented enterprise-wide, organizations are at greater risk (ha!) of harm.

Challenge #3: ‘Mutton yesterday, mutton today, and blimey, if it don’t look like mutton again tomorrer’

Illustration of trolls by J.R.R. Tolkien for The Hobbit; coloured by H. E. Riddett for The J.R.R. Tolkien Calendar 1979

Many cybersecurity audits focus primarily (or exclusively) on IT. It’s typically the IT Director and their staff that sit with the auditors and provide evidence of in-place controls. There may be an interview here and there with the HR Manager and some folks in operations, but the fact remains that many information security controls tend to be technical in nature. Risk assessments tend to follow the same path of focusing on IT. However, it’s important that executive management empower the risk practitioner to operate a truly enterprise-wide risk management framework and include non-IT functions and business processes under the risk management umbrella.

Stay tuned next week for the next article in the series, which will discuss what to look for in a risk practitioner, explore the concepts of risk appetite and risk tolerance, and why it’s important to establish good risk governance.

Related Post