Starting the Conversation Between Security and Risk Management

Jul 17, 2019 | by Tim Norris

Benjamin Franklin quipped, “in this world nothing can be said to be certain, except death and taxes.” In today’s hyperconnected age, I think it is safe to add, digital risk to the list. With the ever-present threat of cyber attack, digital risk isn’t going away anytime soon. ​

To manage the growing attack risks we need to break down traditional organizational silos. While security and risk management leaders both play important roles in managing risk, they often do so separately. We see how the two do not work collaboratively to identify and assess risk, prioritize investments and resources aligned to business priorities, and establish well-oiled workflows for managing cross-functional responses in the event of an attack to minimize the business impacts.

Organizations need to rethink people and processes to be collaborative when managing the increasing cyber attack risk resulting from digital transformation. I agree with Henry Ford who once said, “Coming together is the beginning, staying together is progress, and working together is success.”

Where to start?  As noted, “coming together is the beginning” and coming together starts with a conversation. While everyone wants to do what’s best for the business, too often we get so focused on our own day-to-day tasks that we miss the opportunity to take a holistic look around at risk and how it impacts other parts of the organization.

In our recent webinar – Security and Risk: Tackling Digital Risk Together – Steve Schlarman and I discussed tools that security and risk management leaders can use to start the conversation.  First, we talked through demonstration of the new RSA® Digital Risk Index – a simple online assessment to measure an organization’s digital risk profile. The real value of this tool is in having  both security and risk management leaders take their assessment results to start a conversation on how each view the various risk areas. Why? One of the inhibitors we hear when talking to customers about this issue is they don’t understand the perspectives of the other side. Using a tool like this forces those conversations out in the open. It also reveals gaps in perception and understanding of risk to foster better collaboration on mitigation.

​In addition to the assessment tool as a conversation starter, here are a few more thoughts on possible collaboration areas. This “checklist” can be a high-level guide to framing the collaboration agenda:

  • Establish a baseline and assess the risks together. Likely both silos have some assessment already, but how closely aligned are they? How well do they reflect business and IT/security priorities? How are they mapped to business impact? ​
  • Determining a risk tolerance is key to ensuring alignment between what is acceptable and what is not. Driving the alignment means clear communication across silos.
  • Preparation is key and takes practice, too. Test your workflows and processes to see where they aren’t working and constantly improve so you are prepared for the attack.
  • Prioritization is a must. Find ways to work together to share business context to empower analysts to better prioritize alerts and focus on what matters most. ​
  • Establish the communication flow and know regulatory requirements around communication and notifications. Ensure this info isn’t trapped in silos as regulations like GDPR require faster notification (72 hours from discovery). Compliance processes are critical.
  • Take stock. What happened? How did it occur? How do we prevent it from happening again? In most cases this retrospective is conducted in silos. However, the reality is, the breach is more than just an IT problem or fix. Take a collaborative approach to identify not only the technical vulnerabilities, but also the processes and people areas to improve to minimize the impact of a future event.

You can find more of these conversation starters in the Guide to Working Together to Mitigate Cyber Attack Risk, with additional practical tips to motivate a conversation. Combine these tips with the RSA Digital Risk Index tool to begin breaking down the silos between security and risk management and also to start to better understand each other’s perspectives on mitigating cyber attack risk. Once we come together, we build the foundation upon which security and risk leaders form relationships and muscle memory to continue working together towards stronger alignment on managing risk. And then, as Henry Ford said, working together leads to success.

# # #

Looking for more? Check out these additional resources to improve collaboration, mitigate cyber attack risks and minimize the business impact of a cyber attack.

RSA® Digital Risk Index
Are you struggling to gauge how much risk your organization faces from digital transformation?

Take our quick self-assessment, and in a matter of minutes, you'll have a much clearer understanding of your digital risk exposure.

Security and Risk Management Collaboration: A Guide to Working Together to Mitigate Cyber Attack Risk
A practical guide and checklist to facilitate conversations with security and risk management leaders to work more collaboratively to mitigate cyber attack risk.

Security and Risk: Tackling Digital Risk Together Webinar

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity

Author: Tim Norris

Category: RSA Fundamentals, Blog Post

Keywords: Cybersecurity, Security, Digital Risk, Digital Risk Management, Digital Risk, CSO, CISO, Chief Security Officer, Chief Information Security Officer, Chief Risk Officer, Threat Detection and Response, SOC