There’s not a CEO on the planet who doesn’t have security high on their business agenda as we move into 2018. The combination of escalating cyber attacks and new privacy legislation means that CEOs are being held accountable for the resilience of their organisation and the safety of their customers’ data like never before, writes Rick McElroy.
This is undoubtedly a good thing. CEOs set the culture of an organisation through leadership and the priorities they communicate to management teams. While we don’t expect CEOs to be on the front line of network monitoring and response, we do need them to be setting the culture and outlining the expectations under which those who are on the front line will operate.
What follows are the key questions that CEOs should be asking their teams in order to create an environment of proactive and positive risk management. Regularly asking and answering these questions will lead to a more resilient company that can manage risk effectively and efficiently for competitive advantage.
Q1: How are we managing risk and what’s the structure of the team?
Asking this question should allow CEOs to understand the overall structure and maturity of risk management in the organisation. The team should be able to briefly and succinctly identify the following when asked: ‘Who is actually responsible for managing and accepting risk in the organisation?’ ‘Do you have someone responsible for risk management?’ ‘Is there someone responsible for information security?’ ‘Is someone responsible for compliance?’ ‘Is this decentralised or centralised?’ ‘How many staff members are dedicated to managing risk?’
The team should be able to confidently describe how the overall programme is managed and organised. They should know the chain of command and escalation thresholds and have strong communication channels in place.
Ensuring the security and compliance of business partners and suppliers is an increasingly critical aspect of due diligence for customers, so there are bonus points to be gained by those organisations who have their risk management structure documented and ready to give to external auditors or customers who may ask. This should exist and be ‘ready to go’ at any moment. What it should not require is a long data gathering exercise.
Q2: What’s our risk tolerance?
CEOs and Boards should drive the acceptable level of risk tolerance for an organisation. Of course, in an ideal world we would have zero tolerance for risk, but the last time I checked this world of ours is far from ideal. In reality: “Risk tolerance is defined as the level of risk or degree of uncertainty that’s acceptable to organisations and is a key element of the organisational risk framework. An organisation’s risk tolerance level is the amount of corporate data and systems that can be risked to an acceptable degree. Having a defined risk tolerance level means that the security programme knows the degree to which management requires the organisation to be protected in terms of the myriad threats they face.”
Affording tolerance guidance to the team will ensure that everyone is aligned with the strategic plan and allow all members of the team to drive risk to an appropriate level on an intelligent footing.
Q3: When is risk being considered?
Is it set into the upstream decision-making process or considered throughout the life-cycle of the business? The team should help the CEO understand where risk decisions are being made in the business cycle and whether or not the defences in place are commensurate with the risk. This will also speak to the maturity of the organisation’s risk management programme. As that programme matures, managing risk will become an inherent element of strategic and operational business planning rather than a ‘bolt-on’.
Q4: Where is the current list of risks and what’s on it?
Risks come in all shapes, sizes and forms. Some risks are really business opportunities waiting to be realised. The organisation that can manage risk well will not only do a better job of protecting itself from cyber threats (and indeed threats of all kinds), but will also afford itself a long-term competitive advantage.
As the saying goes: “No-one ever succeeded in business without taking risks.” Just because it’s a risk doesn’t make it inherently a bad thing.
For most organisations, risks will fall into one or more of the following categories: Compliance/Regulatory Risks, Security Risks, Financial Risks, Privacy Risks, Industry and Competitive Risks and Management Risks.
Knowing where to gather information about the level, severity and exposure to all these types of risk when needed is crucial when it comes to making risk-based decisions. Organisations with a mature risk management posture are now using online dashboards updated in real-time – and based on downstream risk data – in order to inform their decision-making and keep them ahead of the curve.
Q5: How are risks being managed and communicated? What’s the cadence of meetings?
This final piece of the jigsaw is all about culture and will allow CEOs to understand whether their organisation embraces open and transparent risk discussions or whether there are still unknown risks which are not being identified, communicated or managed in an appropriate fashion. This will also ensure that risk discussions are positive and ongoing and that they occur at the appropriate timeframes for the organisation.
CEOs who regularly ask these questions of their management teams will ensure that they set a culture of proactive, transparent and competitive risk management within the organisation.
In today’s threat-intensive, privacy-oriented landscape, it’s a core responsibility for all CEOs that, done well, will foster business resilience and a competitive edge.
Rick McElroy is Security Strategist at Carbon Black