Security and Risk Management can be complicated. Predicting what might happen to your business and preparing to protect and mitigate against those threats or risks is challenging. COVID-19 caught most of us off-guard and sent our security and risk management teams into overdrive with an increase in remote employees and cyber attacks related to the virus. But it is important to operationalize security and risk management as we move forward to our “new normal” and look to the future.
An effective Security and Risk Management program is essential for any business. It is an investment in the work that your organization does and your reputation, and a commitment to your customers who trust you with their data. It is also a regulatory requirement when you consider PCI, HIPAA, CCPA and GDPR as well as many other state and local regulations. If the recent pandemic was a wake up call to your business, maybe it is time to think about your operational risk management plan for the future.
It’s important to realize that the future of operational risk management is not about spreadsheets. It’s not the 1990’s and old fashioned ways of making things work will no longer cut in today's more complex environment. It is essential you have the data you need at your fingertips. Real-time metrics that show how your company is performing against industry standards and regulations, and cloud accessible tools that are available to your employees no matter where they are based. The future of security and risk management is about working collaboratively. Employees need to work together across your organization and, when you work towards a standard like SOC 2 or HITRUST, it is helpful to have a tool where auditors and employees can collaborate directly within that tool to track and manage all the elements of your security and risk management program.
Many researchers are suggesting that 2020 is going to show a significant rise in data breaches with Security Boulevard writing that “Around 16 billion records have been exposed so far this year. According to researchers, 8.4 billion were exposed in the first quarter of 2020 alone, a 273% increase from the first half of 2019 which saw only 4.1 billion exposed.” It might be impossible to eradicate risk but it is possible to analyze risk and prepare your business for it. Responding and planning now can protect your organization from future incidents.
The future of Operational Risk Management is collaboration.
So what can you do to make your business more successful?
Consider your organization’s risk profile. If you collect customer data that includes social security numbers and credit card information you will have a different risk profile to an organization that is simply collecting names and email addresses. Once you understand your risk profile you are ready to look at how to manage your risk.
Here are 5 operational risk management tips to make your business more successful:
1. Pick a framework - You can’t manage what you can’t measure.
You can only measure progress if you set a standard to be measured against. Many organizations have to measure themselves against more than one security framework. Perhaps, they use NIST CSF as their internal measurement and that is how they built their baseline security program but what happens when they have a customer who is insisting they complete a SOC2? Maybe they also process, or have access to, credit card data, and so PCI DSS comes into play. And let’s not forget that if they operate in different states local regulations like CCPA and the New York Shield Act might also apply. Since individually each of these frameworks may contain hundreds of controls that must be implemented and tracked this can quickly grow to become an unmanageable task. Using a compliance tool, like the Ostendio MyVCM platform, allows organizations to simultaneously build and manage activities against more than 100 industry standards and regulations. In fact, an organization should look for a tool that allows them to select any base framework, e.g. NIST-800 53, and then automatically map every control to any and all other frameworks selected. This means you can build one security program but seamlessly manage multiple frameworks at the same time. No spreadsheets or cross tracking required. You can even extend this feature to your customers’ audit requests by simply mapping existing evidence to their questions. This saves your organization time and money by reducing the duplication required in answering each request individually.
2. Build out your program - You can’t operate what you don’t implement.
Know how information is processed, stored and transmitted in your organization. Define how internal and external systems interact with one another. Make sure that everyone in your organization understands their role with regard to data security. Consider which employees are going to be directly involved with your risk management program and agree a budget that will support your program. Encouraging a culture of data security is important to success so look for a tool that can manage and track security training. While building out your program might seem overwhelming, there are Professional Services experts who can help establish your program which reduces the distraction from running your business.
3. Track and Manage Progress - You can’t manage what you can’t measure.
You need a tool that’s right for the job. You wouldn’t construct a house with a single hammer so you need to find a tool that has multiple functions that are suitable for the task at hand. Look for a tool that offers clear and easy to read dashboards, one that provides metrics so you can easily prepare status reports and one that offers crosswalk capabilities so you can apply evidence collected for one standard to another that is similar thereby allowing you to consider compliance to multiple frameworks. Look for a cloud-based tool that your employees can access remotely as this has become essential in the COVID era. Easy to read dashboards can show you on an individual, group or overall organizational level how you are progressing towards your goal.
4. Communicate status to key stakeholders - It isn't collaborative if people don't know about it.
Make security and risk management a board level discussion - it should be operationalized across the organization with a key member of the leadership team holding responsibility. By elevating the importance of data security and risk management to a board level position you are showing that you place importance on this element of your company strategy. Using a tool, like the Ostendio MyVCM platform, makes it easy to produce reports that will show how your organization is performing and what work still needs to be done.
5. Seek Independent Verification - Make your organization accountable.
If you have followed Step 1 and established a framework you will also be able to be audited against this framework to see how you are doing. Preparers can help you get ready for an audit and make sure you have the evidence and documentation in place to undergo an audit. When you are ready you will select an independent auditor who will audit your organization in line with your selected framework. This Independent Verification is an important step to show externally to customers, investors and partners that you take security and risk management seriously.
Don’t forget the need for on-going monitoring of your security and risk management program with possible annual audits and re-certifications required. You should always review processes if a breach happens or if there are known cybersecurity risks in your industry. Reviews are also necessary if your organization has had a major structural change due to an acquisition or takeover. However, if you select a tool like the Ostendio MyVCM platform, this will be straightforward as you can track and update evidence from one year to the next ensuring that the relevant stakeholders have reviewed and updated as necessary. Setting up a robust framework for security and risk management at the start pays off in the future.
Ostendio has over 7 years of experience helping organizations with their security and risk management programs. The Ostendio MyVCM platform helps organizations build, operate and showcase their security programs. The experts in our Professional Services team can provide additional assistance to companies who require help establishing a program or switching to a new framework. Ostendio also has an excellent Customer Success team who work individually with each customer to ensure they are properly trained in using the Ostendio MyVCM platform and making the most of their investment. If you want to learn more about the future of risk management or discuss a risk assessment speak to an expert at Ostendio.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
What do customers say?
Read real reviews from Ostendio MyVCM customers on the Capterra web site.