The constantly evolving cyber risk landscape presents a formidable challenge to organizations, as businesses transform, scopes and boundaries shift, and bad actors develop new tactics and techniques to exploit vulnerabilities and compromise systems. With the rate of risk velocity increasing faster than the resources of most risk-focused teams, collaboration and working together smarter is one of the only ways to keep up. Creating solid partnerships, embracing transparency, and developing consistent strategies for mitigating cyber risk is essential to navigating this complex landscape.
Recently, I hosted a panel discussion among leaders in the cybersecurity domain. This article highlights the best practices and advice they shared on partnering as an organization to address cyber risks, overcoming roadblocks, and the keys to creating a connected risk mindset.
Aligning on Cyber Risk
The panel discussion first focused on partnering within the organization to align on a common understanding and prioritization of the risk landscape. All four speakers agreed that partnering on a shared risk register is one of the most critical elements of a successful cybersecurity program. Lucia Wind, CAE & VP ERM, COSO Board Chair, Unisys, explained, “Risks can often start somewhere else in the organization. A cyber breach likely started with a human or systemic error somewhere else. Understand that few risks are isolated, so we need to be connected to the whole organization to avoid a singular, siloed view of risk.” We cannot afford to exclude any group since this risk impacts everyone.
The partnership must include all levels, including executives and board members. Of course, not all executives are cybersecurity experts. Not all organizations are aligned, as some teams focus solely on the cost of security programs and not the long-term impact if there is a major security breach.
Bridging the Resiliency Gap
Along the same lines of alignment, collaboration is a key differentiator the panel discussed to combat cyber threats. “There is no such thing as no risk in cyber risk management,” reminded Dominique Vincenti, VP & CAE, Uber, “but we can strive for no surprises. With collaboration, we reduce the occurrences of surprises. More transparency and data sharing between groups leads to fewer surprises.” With fewer surprises, the organization is resilient and can minimize the fallout.
Wind gave an excellent example of data sharing using risk assessments as a common denominator across assurance teams. She said, “Understand how many people are doing risk assessments and how those are done. When these are brought together, each team brings their subject matter expertise to get a more holistic view of the organization. A united front makes the organization better.” She explained that deeper collaboration leads to a standard definition of risks that can be shared with others, such as the process owners. They might not understand what you are talking about when you are discussing risk. Some process owners need help to see beyond their role to the enterprise-level risk perspective. When something big happens later, you have the partnerships and consistent understanding in place to respond quickly.
Removing Roadblocks to a Connected Risk Mindset
While alignment and collaboration may be the keys to a successful, connected cyber risk program, there are roadblocks to establishing this way of working in many organizations. Wind points out that “most of the time, people are busy and caught up in their own work, but in the end, we are all there to protect the company.” She advises focusing on relationship building to remove roadblocks before a problem occurs.
All the panelists agreed that while there may be some resistance, the organization is substantially stronger when everyone works toward a unified goal. Building relationships, developing a cohesive understanding of risks, and collaborating to protect the organization are crucial since bad actors will continue to look for vulnerabilities and take advantage of more sophisticated technology. When we all work together within a connected risk mindset, we can stay ahead of the threats and ensure the security of the data and systems.
Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.