It’s no secret security has become a critical consideration for businesses since COVID. More than three in four (77%) respondents to EY’s 2021 Global Information Security Survey say that they’ve seen an increase in the number of disruptive attacks, such as ransomware, over the prior 12 months. In response and to maintain a secure posture, the digital transformation many companies had planned over a period of years now had to happen in a matter of weeks or days.
Respondents to a McKinsey survey published in the fall of 2020 say their companies implemented key changes 20 to 25 times faster than expected. Once the crisis lessened somewhat, two things were clear. First, the changes implemented during the pandemic would be more or less permanent, and second, the threat surface was much larger than before the pandemic due to the increased number of remote workers.
With this enlarged threat surface, embracing a risk-centric approach to security and compliance is critical.
But, how can your organization do this?
By understanding your organization’s overall risk appetite, your teams can put checks into place to ensure risk is managed and compliance is achieved. In turn, remaining compliant and maintaining documents and audit material will help to reduce risk.
Risk and Compliance Are Symbiotic
Compliance and risk are often thought of as separate considerations, and for larger companies, they can serve distinct functions. In reality, risk and compliance share a symbiotic relationship with compliance affecting risk, and risk affecting compliance. Therefore, what you do within your compliance program will directly impact your level of risk.
The key difference between risk and compliance is that risk is a concept and compliance depends on action. Compliance consists of a framework of statutory, regulatory, or contractual requirements and implemented controls to satisfy those obligations.
Recommended CIO Blog: Mastering the Cybersecurity Maze: Tips for Seamless Logistics
Compliance is binary.
Each requirement is either met or unmet. In contrast, risk manages decisions across a range of expectations and actions to achieve positive business outcomes.
Risk is on a continuum.
Whether a risk is acceptable or not will vary with an organization’s risk appetite.
Gauging the Risk Appetite
Successful risk management requires buy-in at the executive level and a place at the table for security executives during strategic decision-making. Considering risk after a decision has been made (or worse, executed) is simply too late.
The strategic level is also where the organization determines its risk appetite – that is, which risks it is willing to accept to achieve its goals and which ones it is not. This is a subjective evaluation, of course. Your organization’s leaders must determine what makes sense in the context of strategic and operational priorities.
For example, a tech startup will likely accept greater risk than an established financial institution.
Questions to ask to gauge risk appetite:
- What is the opportunity before us?
- What risks does it create?
- What risks is it subject to?
- What investments are necessary to bring that risk down to an acceptable level?
- Is that cost significantly less than the opportunity?*
*If the answer to the last question is “yes,” then the organization is better positioned to pursue the opportunity. If not, you must find other ways to mitigate the risk or move on to other options.
Master a Risk-Centric Approach
In any risk-centric risk management program, you will want to start with the controls provided by compliance. Remember, risk and compliance are symbiotic, or two sides of the same coin. Controls are derived from compliance and are guided by your risk appetite. So, flip around the language of the controls and begin to uncover the underlying and related risks the controls are reducing. The result of this exercise will be a risk registry that you can further refine, categorize by business objective, and prioritize risks to bring them within acceptable limits. Taking a risk-centric approach requires these questions:
- Are controls effective?
- Do controls also contribute to achieving operational goals?
- Do controls help reduce risk?
Let’s take a hypothetical example. Let’s say that you have a security policy requiring users to create an eight-character password containing upper and lower-case letters, numbers, and symbols. What is the risk behind this requirement? It’s that a brute-force or other attack will be able to unlock a password and gain entry to your organization’s systems. By identifying the underlying risk, you can better understand how well this control addresses it.
Furthermore, by knowing your risk appetite, you can determine what actions are next (e.g., extend the password length and limit login attempts) to lower the risk to an acceptable level.
Hackensack Meridian Health Modernizes its Cloud and Data with Google Cloud
Driving Business Results With a Strategic Approach to Risk
Every business activity involves risk, so simply viewing and measuring risk at a high level is not enough. In a compliance program, controls are simply pass-fail. When the organization is “in compliance,” it has met the minimum requirements under its obligations. But, being able to say “we’re compliant” is not the same as understanding to what extent implemented controls have effectively reduced the underlying risks. You must also identify and categorize risks as they relate to individual business activities and the context around them.
Driving better security comes down to leveraging risk management principles effectively. You must be prepared to put all necessary resources toward reducing the highest risks and more effectively safeguard business data and assets. The tools and automation involved can substantially ease the burden of managing this information and related activities. In addition, a risk-centric risk management approach builds trust among customers and business partners, ultimately supporting your go-to-market initiatives.