There are four pillars to implementing an integrated risk management program:
- Aligning your cyber strategy with business outcomes
- Facilitating a risk-aware, risk-engaged culture
- Integrating risk into business strategy discussions
- Effectively reporting on a risk-based approach
Align Your Cyber Strategy With Business Outcomes
The new role of CISO is acting as a bridge between technical cybersecurity teams and business-side stakeholders and executive management. The critical step is to ensure that you align your cyber strategy and tactics with the business outcomes that executive management is seeking to achieve. This alignment helps show business leaders that cyber can be a business enabler, not a hindrance to business growth. Start by asking yourself what identified risks you’re investing the most time and effort in mitigating. What are the disruptions caused by those risks if left unprotected? Is your company enabling technologies that improve performance through an integrated view of risk?
Presenting the managed risks of the organization in a business context empowers non-IT executives and shares the accountability to secure the organization beyond technical stakeholders. Sharing your knowledge helps the entire organization recognize that security is now an organization-wide effort that everyone must be aware of and participate in. This shift also allows non-technical business leaders to make more informed strategic decisions for their respective business units within the context of digital risk and the unique set of risks they may face.
Facilitate A Risk-aware, Risk-engaged Culture
Any goal of shifting an organizational culture can appear daunting, but with the right amount of patience and the correct approach, it is possible. As a CISO, it is critical to ensure that you have buy-in from allies and colleagues within the C-suite to support your effort of shifting culture. While every organization is different, trends emerge when choosing a dream team of initial stakeholders to get buy-in: the Chief Operating Officer (COO), the Chief Human Resources Officer (CHRO), the Chief Information Officer (CIO), and the Chief Marketing Officer (CMO).
CyberSaint partner’s experience, these positions as first alliances prove true. In one of these case studies, they worked with a Fortune 100 entertainment company, and their point of contact was the Director of IT (eventually the CISO when they created the position). The IT Director knew they needed to increase risk awareness across the organization and began soliciting buy-in from the CIO and the COO. The reason for this choice was that with the CIO’s technical understanding and the COO’s process of identifying ownership of employee development, these two would be the IT Director’s best evangelists as the program grew. The results were stunning. Once the IT Director, CIO, and COO had established the needs and goals they began expanding in concentric circles - going from three to 15 to 100 and so on until they did alter the company culture.
A culture change of any kind is daunting - a journey that requires patience, diligence, and constant vigilance to ensure that the new ideas remain and scale with the organization. For CISOs working to increase cyber risk awareness at their organization, stating that you are going to change the culture is like saying you’re going to change the direction of a river - it is possible, but you have to start small. Start with critical stakeholders that will facilitate the change with you and be prepared to evangelize. Changing the organization may require changes to you and your team first. Sometimes, the most significant barrier to CISOs getting buy-in for their programs was the inability of the C-suite to understand the technical jargon that most program management tools deliver. Instead, communicate in the language that Boards and CEOs can understand - remember, they want to follow. Ensure that, together with the right alliances, the right technology can empower your team to support a risk-based culture more effectively via your new integrated risk management strategy.
Risk Is A Critical Aspect Of Business Strategy
CISOs implementing an IRM program must see the give and take between business growth and security. Any strategic decision or new business growth shifts the risk landscape and could impact business. In today’s business world, the assumption is that new business growth is in some way related to technology and, as such, increases the digital risk profile of the organization.
Effective risk management activities result in secure growth for the business. However, too many CISOs see any residual risk as a failure to do their job. A risk-aware culture enables the organization to effectively convey the decisions of which risks to address and why a set of practices exists. This transparency is imperative to ensure the whole organization knows where it stands on risk management activities.
Effectively Report On Your New Risk-based Approach
If it’s not measured, it’s not managed. Shifting from a checklist compliance-based approach to integrated risk management will change how your security organization reports on its success. An integral value of an integrated approach to risk and compliance is the powerful insights that leaders can glean from all that information being in one place. Where cybersecurity organizations would previously have to spend weeks or months generating reports from scores of spreadsheets and risk registers, using an integrated approach and an IRM program not only delivers better stories and insights but automates much of the reporting process.