We all know how hectic the life of a CISO can be regardless of the size of business they support or the industry they are involved in. CISOs face many challenges including one that is becoming increasingly important: handling the Risk Management program for their organization. With news every day about ransomware attacks, dramatic weather events and insider threats, every CISO needs to assess a multitude of risks to their organization.
When building a Risk Management program the volume of data required to be collected and analyzed before informed decisions can be made is challenging, making it difficult to have an effective conversation with executives and/or the Board. Taking the old fashioned approach to Risk Management is no longer effective because traditional methods can't use real-time data. Using data that is out of date can leave your organization in a vulnerable position. So how can we make the life of a CISO a little easier? The answer is to choose a data centric approach to Risk Management.
The key to a successful Risk Management program is choosing a data centric approach.
Understanding Risk Management - the Homeowner’s Perspective
Risk Management can seem like a complicated topic but I explain it with a comparison to a homeowner’s perspective to risk. Homeowners deal with a certain amount of risk when it comes to their home and property. For example, a homeowner’s risk mainly revolves around their home building and can include the chance of damage from weather events such as floods or hurricanes, or the threat from property break-ins, damage from termites or mold and possibly even lawsuits from delivery people who may slip on icy sidewalks. To mitigate these risks the homeowner might purchase flood insurance, home security systems, pest control and perhaps make sure that their sidewalk is cleared from snow and ice in the winter. Actions taken by the homeowner depend on factors including location - for example, a California homeowner might be more likely to invest in earthquake insurance. When considering a Risk Management strategy the homeowner has to consider all these elements and their affordability. The homeowner might change their Risk Management strategy over time if, for example, their house floods more often due to rising sea levels or the increasing number of storms each year.
As you can see, there are many variables that affect Risk Management, even from a Homeowners perspective. So when you are a CISO, and perhaps considering multiple office locations with hundreds of employees, the risks multiply and using spreadsheets to track that data is no longer sufficient. Critical decisions cannot be made using intuition and a generalized sense of pervasive threat. Instead, real time data must be used to identify threats and consider them based on the importance of the risk to your organization.
[Ostendio Whitepaper: The Benefits of Using a Data Driven Approach to Risk Management. Download here.]
How does a CISO handle Risk Management?
CISOs have some similarities with a Homeowner. The CISO has to consider how weather events might affect their office buildings and equipment, however there is a whole list of other threats they have to consider for example, unauthorized access by hackers, equipment failure, third party breaches, litigation or regulatory breaches. Each threat has a complex set of questions and considerations for the CISO. The CISO also has to consider the priority of each risk compared to the other. Most CISOs today don’t have access to up-to-date data to fully address this challenge. Many fail to deal with it at all.
Traditionally, spreadsheets have been used to tackle Risk Management but this approach is constrained by the two dimensional nature of the media. Complex spreadsheets struggle to build, track and maintain, let alone digest the data, making it an imperfect format to communicate with leadership.
Moving forward with the latest Risk Management tool
While there are no shortcuts to developing a Data Driven Risk Management program, there are ways CISOs can make it more manageable. By using the right tools to simplify the task, CISOs will have a clearer understanding of a continually evolving risk landscape. A model that combines a holistic view of enterprise-wide data along with granular visibility into specific risk drivers, can help CISOs build and operate a Risk Management program that allows leadership to make informed choices about how to prioritize risk mitigation. CISOs should look for a tool that allows for systematic planning and one that aligns with regulations and frameworks so the organization can be easily audited.
The Ostendio MyVCM platform gives an overview heatmap showing an organization's current risk profile.
Why is Risk Management important?
Think about the outcome when an organization is not prepared and an incident occurs. A simple ransomware attack can be very costly to a business. A recent article, explores 7 unexpected costs of a ransomware attack including how to keep the business running when systems are affected, higher cyber insurance fees and the loss of customer trust. By establishing a Risk Management program, the CISO is less likely to have to deal with an incident and, if a serious incident does occur, the processes are in place to minimize the impact to the business.
In today’s business environment, all businesses, regardless of size or industry, need to have a Risk Management program in place. Using a data driven approach will help CISOs tackle the Risk Management challenges that lie ahead.
Find out how Ostendio could help your business with Risk Management by scheduling a time with one of our experts for a free demo of the Ostendio MyVCM platform.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
Risk Management Whitepaper
This Whitepaper looks at Risk Management in-depth and discusses why a data driven approach brings multiple benefits to organizations of all sizes and in all industries.