Opening up risk management: Always on, everybody’s business
By
Published: November 08, 2019
Just as cyber-related threats have emerged as a top concern of companies globally, senior executives are losing confidence in their ability to assess, prevent and respond to them. In a way, this is understandable. Technology is a constantly moving target, and every effort to bring a new product or service to customers inevitably creates new risks.
Marsh/Microsoft Cyber Risk Perception Survey
How can business leaders turn things around? We first need to accept that in this environment, the traditional approach to cyber risk management - tasking specialists to build and maintain huge documents, while software teams press on in a bubble - is no longer fit for purpose. Risk has to be addressed collectively and dynamically - that is, by everyone from the board down and, rather than after a product is built or a crisis erupts, on a constant basis.
From what I’ve seen in my work with clients, some organisations are already taking steps in this direction. But often, even when business leaders tell teams to build security into everything they do, it’s still sacrificed for a compelling new feature, or faster speed to market. This struggle where the strategy is set but the tactics aren’t working is, in my experience, often the result of a few common issues. Here’s a brief checklist on how to avoid them.
1. Balance risk - and recognise value
Even the most basic security practices and activities will take second priority to delivery unless their value is understood. Security will have little traction unless inherent risk - that is, the natural risk if all controls and protections were to fail - has been understood. Importantly, rather than an obstacle, risk needs to be measured in terms of its business value, just like any other development initiative or enterprise asset.
That means assessing what avoiding failure is ‘worth’ to the company, whether in terms of financials or other measurable positive outcomes. Recognising that steps to balance risk have real value makes it hard to trade away for the sake of speed or convenience. And it helps create a business case to justify the investment needed to embed security into a product from the outset. It also underlines to everyone, from the executive leadership to product developers, the connection between risk and business priorities.
2. Strive for ‘just enough’
Since eliminating risk isn’t realistic, enterprises should be aiming for a state of balance where the burden of inherent risk is roughly equivalent to investment in safeguards: the time, effort and/or resources required for risk control and protection.
Drilling down to identify specific key loss events and analysing their magnitude, frequency and likelihood enables the enterprise to zero in on the specific activities and needs required to prevent these scenarios and establish clear investment priorities. By making this information clear and comprehensible, and ensuring it’s articulated throughout the organisation, business leaders can create a de facto risk management ‘code’ that captures key areas of focus and provides a clear foundation for future risk management decisions.
Measuring and Managing Information Risk: A FAIR Approach IT risk job skills
Of course, identifying and valuing risk isn’t an exact science. Companies may have various formal or mathematical frameworks to guide the process, but it’s also important to remember that we all have a basic understanding of risk. We all make risk-based decisions all the time in our daily lives. That means human discernment can, and should, play a role - and in general, the more people and perspectives are involved, the better. Which brings us to the next point.
3. Make risk management a team effort
Any organisation with a risk management division that sits in a silo very likely has a tunnel-vision. Just as technology increasingly cuts across functions, risk needs to be perceived and addressed as a collective responsibility. When the enterprise sets out to identify and measure risk, virtually every stakeholder with a say in the needs and objectives of the business should be represented. This means delivery teams, who have to understand the risk (and value) of what they’re building, but also legal and compliance, who could identify stakeholder needs that have not been addressed, as well as the finance teams who may need to sign off on risk management investments. It even includes customer-facing teams with vital insight into how products are used in the field.
Consistently communicating risk information to teams throughout the enterprise should be seen as part of the risk management role. If a quantitative model or threat assessment shows storing certain data can put customers in danger, or increase risk exposure to a third party, it’s vital that this knowledge makes its way to developers rather than remaining buried in a little-viewed monthly report. Executive teams may not be involved in product testing or all security conversations - but they do have a vital role in providing input, flagging these conversations as important, and coordinating across functional silos to make sure everyone is participating. As with most strategic initiatives, the tone is frequently set from the top.
4. When it comes to security, don’t ever stop
Digital business is defined by a continuous approach to development where products are consistently improved based on data analysis and end-user feedback - and that calls for a similar approach to security.
Once inherent risk has been understood, investments have been made and the secure delivery lifecycle is a reality, the enterprise can’t sit still. As data and feedback calls for new features, new services, perhaps the migration of customers to completely different platforms, the risk profile and metrics associated with a product will keep changing. And when that change comes, the team needs to go back and review the risk balance, gauging where additional investments or resources may be needed (or, more happily, where risk has been reduced and resources can be shifted elsewhere). This won’t always be a seamless journey, but when business leaders have made it clear it’s a strategic necessity and teams grow familiar with the processes required, balancing risk with secure delivery becomes second nature. The safest organisations will be those that embrace risk management as a culture, rather than just a process checkbox to tick.
Marsh/Microsoft Cyber Risk Perception Survey
How can business leaders turn things around? We first need to accept that in this environment, the traditional approach to cyber risk management - tasking specialists to build and maintain huge documents, while software teams press on in a bubble - is no longer fit for purpose. Risk has to be addressed collectively and dynamically - that is, by everyone from the board down and, rather than after a product is built or a crisis erupts, on a constant basis.
From what I’ve seen in my work with clients, some organisations are already taking steps in this direction. But often, even when business leaders tell teams to build security into everything they do, it’s still sacrificed for a compelling new feature, or faster speed to market. This struggle where the strategy is set but the tactics aren’t working is, in my experience, often the result of a few common issues. Here’s a brief checklist on how to avoid them.
1. Balance risk - and recognise value
Even the most basic security practices and activities will take second priority to delivery unless their value is understood. Security will have little traction unless inherent risk - that is, the natural risk if all controls and protections were to fail - has been understood. Importantly, rather than an obstacle, risk needs to be measured in terms of its business value, just like any other development initiative or enterprise asset.
That means assessing what avoiding failure is ‘worth’ to the company, whether in terms of financials or other measurable positive outcomes. Recognising that steps to balance risk have real value makes it hard to trade away for the sake of speed or convenience. And it helps create a business case to justify the investment needed to embed security into a product from the outset. It also underlines to everyone, from the executive leadership to product developers, the connection between risk and business priorities.
2. Strive for ‘just enough’
Since eliminating risk isn’t realistic, enterprises should be aiming for a state of balance where the burden of inherent risk is roughly equivalent to investment in safeguards: the time, effort and/or resources required for risk control and protection.
Drilling down to identify specific key loss events and analysing their magnitude, frequency and likelihood enables the enterprise to zero in on the specific activities and needs required to prevent these scenarios and establish clear investment priorities. By making this information clear and comprehensible, and ensuring it’s articulated throughout the organisation, business leaders can create a de facto risk management ‘code’ that captures key areas of focus and provides a clear foundation for future risk management decisions.
Measuring and Managing Information Risk: A FAIR Approach IT risk job skills
Of course, identifying and valuing risk isn’t an exact science. Companies may have various formal or mathematical frameworks to guide the process, but it’s also important to remember that we all have a basic understanding of risk. We all make risk-based decisions all the time in our daily lives. That means human discernment can, and should, play a role - and in general, the more people and perspectives are involved, the better. Which brings us to the next point.
3. Make risk management a team effort
Any organisation with a risk management division that sits in a silo very likely has a tunnel-vision. Just as technology increasingly cuts across functions, risk needs to be perceived and addressed as a collective responsibility. When the enterprise sets out to identify and measure risk, virtually every stakeholder with a say in the needs and objectives of the business should be represented. This means delivery teams, who have to understand the risk (and value) of what they’re building, but also legal and compliance, who could identify stakeholder needs that have not been addressed, as well as the finance teams who may need to sign off on risk management investments. It even includes customer-facing teams with vital insight into how products are used in the field.
Consistently communicating risk information to teams throughout the enterprise should be seen as part of the risk management role. If a quantitative model or threat assessment shows storing certain data can put customers in danger, or increase risk exposure to a third party, it’s vital that this knowledge makes its way to developers rather than remaining buried in a little-viewed monthly report. Executive teams may not be involved in product testing or all security conversations - but they do have a vital role in providing input, flagging these conversations as important, and coordinating across functional silos to make sure everyone is participating. As with most strategic initiatives, the tone is frequently set from the top.
4. When it comes to security, don’t ever stop
Digital business is defined by a continuous approach to development where products are consistently improved based on data analysis and end-user feedback - and that calls for a similar approach to security.
Once inherent risk has been understood, investments have been made and the secure delivery lifecycle is a reality, the enterprise can’t sit still. As data and feedback calls for new features, new services, perhaps the migration of customers to completely different platforms, the risk profile and metrics associated with a product will keep changing. And when that change comes, the team needs to go back and review the risk balance, gauging where additional investments or resources may be needed (or, more happily, where risk has been reduced and resources can be shifted elsewhere). This won’t always be a seamless journey, but when business leaders have made it clear it’s a strategic necessity and teams grow familiar with the processes required, balancing risk with secure delivery becomes second nature. The safest organisations will be those that embrace risk management as a culture, rather than just a process checkbox to tick.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.