How do you communicate risk in your enterprise?

We certify against seven industry certs, so the problem is, each of those frameworks have underlying similar performance expectations, but the narrative terminology language is different. So we ended up creating an integrated risk framework to lay the controls on top of each other. It accomplished a couple things: One is, it helps minimize audit fatigue, because you're pulling evidence against the same controls and you have one or two people that are presenting that evidence and it becomes an absolute. It just is really painful for the organization. The other is it provides the ability to quickly attest to good compliance practices, security practices. You can quickly interpret it. So it is a little bit of an upfront investment to create that framework but it buys you some time.

11 views
4 comments
3 upvotes
Related Tags
Anonymous Author
We certify against seven industry certs, so the problem is, each of those frameworks have underlying similar performance expectations, but the narrative terminology language is different. So we ended up creating an integrated risk framework to lay the controls on top of each other. It accomplished a couple things: One is, it helps minimize audit fatigue, because you're pulling evidence against the same controls and you have one or two people that are presenting that evidence and it becomes an absolute. It just is really painful for the organization. The other is it provides the ability to quickly attest to good compliance practices, security practices. You can quickly interpret it. So it is a little bit of an upfront investment to create that framework but it buys you some time.
0 upvotes
Anonymous Author
When I try to explain risk, I try to be as granular as possible and say, "When you want to talk about risks, our culture is going to be the biggest risk because we don't know what we don't know." There's six different IT departments, and the biggest hurdle I have to climb is that there's no compliance audit for the County. The County has an internal auditor; however, the internal auditor’s compliance scope is limited to finances. There is a need to educate on the importance of compliance and highlight the risks of non- compliance. I leaned heavily on convincing the elected official to make decisions that are defensible to protect their brand and reputation.  I’m not IT security, I have a director that manages IT security. I'm enterprise risk. I'm a business person. And I try to dumb myself down by letting them know that I'm not going to say the word firewall, I'm not going to say fishing, I'm not going to say any of those words to you because I'm a business person. Now let's talk about how I could be your strategic partner to help you achieve your mission and goals. And so it's really trying to build trust, trying to make my services valuable to the businesses so they can say, "Hey, I can't deliver my product without the infosec team. I can't deliver my product and be successful without including the information security team." I'm getting it through agile processes of small wins, showing instant risk reduction of certain aspects of business and allowing those lessons learned to wrap back in and try to approach it again.
0 upvotes
Anonymous Author
I've come from the risk world and reporting where I have found that people may glaze over, so my mantra is that the risk reports have to be relevant, timely and actionable. I want them to do something. And so what we try to do to make that happen is think qualitatively and quantitatively. If we're thinking about cyber, we are trying to figure out where the key risks are, what keeps us up at night. Those key risks should be mapped to something that we're doing to address them. And then what are the metrics that actually show how well we're doing? So for cyber, your IT infrastructure, actual data breach incidents, exceptions to your process, etc. I've never met a metric that's about to tell you that you're going to have a problem. People see numbers and metrics without context and say, “so what? What am I supposed to do with this?” So my focus has really been to make it more relevant so that we're bringing things to the table and we say, "We need to change our resource allocation or we need more money." We might not get it but it helps to make it more relevant.
0 upvotes
Anonymous Author
I explain risk is simplistic terms centered around the audience receiving the risk. Different audiences understand different terminology, so my approach is to make sure I communicate in terms they can understand.
1 upvotes