Risk Management: What does it Mean to your 2019 Security Strategy?

For CISOs, data risk is like a fire underfoot. Data’s very fluidity and its constant generation makes a complete lockdown impossible - no matter how tight your security. We’re long past the days of data moving in a loop within a closed network. Even if you could build a wall, you wouldn’t, because growth can’t happen in a vacuum. So how do you take advantage of the scalability and flexibility of new technologies, while melding them with your workforce into a force for risk management, data privacy and security?

That’s the crux of the matter. Being in an evolving, growing business, requires taking risks. Grow too fast, get too “disruptive” or aggressive, the risk undermines long term stability. Rein it in too tightly, and you miss out capitalizing on opportunities that make sense. Knowing your risk appetite helps you figure out the right route to take in risk management planning. For too long, CISOs have borne the brunt of data security worries that need to be an organization-wide priority.

Just look at the blur of 2018’s data breach headlines. Millions of people using apps like Facebook, staying at one of Marriott’s many properties, exploring Quora’s knowledge base or using the US Postal Service, saw their personal data privacy compromised. And now we’re seeing regulations like the GDPR and the CCPA (coming in 2020) emerge to draw a line in the sand on how companies – global to local – protect personal data. That’s pushing risk management to the forefront.

Ultimately, as an organizational leader, you’ll need to decide what risks are necessary to continue your growth trajectory, then prioritize how you manage to those. Start with these five recommendations:

1. Know which data is most sensitive and where it lives, travels and how it’s accessed. Establishing your data value helps determine protection priorities.
2. From the mail room to the board room, implement communication measures, training and tools that assure your people and processes actually interact to limit data privacy and security risks.
3. Use a centralized method to track documentation, updates in policies and procedures, how they’re rolled out, who’s taken the training and how they scored. Optimally, you’ll use the same platform for asset inventory and logging what security updates have been made and when.
4. Drive security awareness throughout the organization by drawing clear lines between each employee and their role in the privacy and security equation. Promote connectedness, not silos of operation.
5. Create a clear vision of your goals and the risks that affect them. Circle back periodically to see if you’re truly as good with stated risk appetite as initially thought.

Once your organization knows what its risk appetite and risk tolerance levels are, you can move on to creating a risk management plan. Then you’ll have found that sweet spot between how hungry you are for innovation and growth, and how to help that happen without undermining data privacy and information security.

Are you confused about your risk management strategy? Contact Ostendio for a complimentary consultation with one of our security and compliance experts.