Monday, March 1, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

How CISOs Can Effectively Convey Information Security Risk to the Board

Overcoming the Communication Hurdle by Speaking their Language

by Sam Abadir
May 8, 2019
in Featured, Risk
woman in profile speaking jumbled letters

Effective leaders understand that boards are comprised of people with different skills and areas of expertise – often without the acumen to understand the details of security and risk the way a security or risk professional does. Lockpath’s Sam Abadir offers guidance on bridging that gap.

Communicating risk posture and assessments to the highest levels of an organization is a demanding and increasingly pivotal responsibility in businesses that rely on information technology. In a world where new threat vector and information risks proliferate, every CISO must be skilled in communicating the value of IT security to the business. By presenting this connection to the board, information chiefs show the role risk plays in the business and how information risk plays a role in fulfilling overall corporate objectives.

The risk management and governance work performed by CIOs, CROs, CISOs and their teams is central to the security of enterprise assets, data, supply chains, services and customers. It’s not just about checking boxes on compliance and audit preparation. When governance, risk management and compliance (GRC) programs are properly implemented, they strengthen and protect every facet of the enterprise. Managing security, IT and corporate policies becomes more integrated and efficient, closing gaps created by silos of data, systems and functions.

The biggest challenge for CISOs is finding a way to communicate risk in a way that everyone on the board understands. It’s a lot easier to convey risk assessments to executives and boards if everyone is speaking the same language. With a holistic risk profile correlated to business metrics, processes and goals, CISOs can select which risks need to be presented to the board — the ones with the highest probability and impact.

They can also calculate what it would cost should the risk become reality. How would the company be affected, and for how long? How much would it cost for remediation? How much revenue and reputation would be lost? Speaking in dollars and cents goes a long way to bridging the gap between IT and the board of directors. Getting everyone on the same page through regular reporting and unified risk assessments also fosters the collaboration and top-down security and compliance culture that are the hallmarks of mature enterprises.

Reporting about a “SIEM alert” could easily alienate even the most IT-friendly board member, or at a minimum, leave them confused about how it will impact the business. It is important to avoid jargon and communicate in comprehensive terms that correlate to corporate objectives and business value.

Most businesses will likely have a good idea what the risks to their business operations and processes are, but they might not understand them in terms of information security, governance and compliance. By associating IT risks with business objectives, processes and goals, the board can assign a dollar amount to these risks and better understand the impact they will have to the bottom line and organizational growth. A GRC platform is extremely useful for CISOs, as it can aggregate data from both operational and IT aspects of the business to efficiently provide this context.

Visibility is a huge issue in most organizations. It’s a buzzword, but think about what it really means and how hard it is to “see” everything in a complex, technology-powered organization. Multiply the difficulty if you work at a large, multinational corporation with a sizable technology footprint. As a C-level executive, the board expects you to be the eyes and ears.

You need a watchtower, not a spreadsheet.

If you don’t have an inclusive inventory of technology assets — data, hardware, software and devices— then you only have a partial risk picture. Mature GRC programs can combine data from across the technology landscape to create a true asset management database and then integrate vulnerability scans, configuration and SIEM data, threat intelligence feeds and incident reports in order to map relationships between assets, risks, policies and compliance requirements. This provides a holistic view of risk.

Indeed, one of the primary benefits of comprehensive integrated risk management (IRM) is the ability to aggregate data on assets and their associated risks from across the enterprise. Then check it against policy benchmarks, threat intelligence sources and compliance databases on a GRC platform. In turn, centralizing the data makes reporting easier, and reports can even be customized based on the different needs, roles, levels of knowledge and responsibilities of stakeholders. Automation (e.g., workflow, monitoring, remediation) and advanced analytics are essential GRC capabilities that facilitate more complete and accurate risk assessments.

Once you can connect, analyze and report on these relationships in a centralized framework, you can begin the real work of risk management: aligning risks to business value so that you can plan and prioritize compliance and remediation workflows effectively. This is how you get to the context, evidence and business value justifications the board requires when addressing risk.

An enterprise can only move toward risk management maturity and optimization by taking strategic approaches rather than merely tactical ones. Many IT departments do not know enough about how non-IT operations create value, or even what specific type of threat or incident would cause the costliest damage. GRC platforms map vulnerabilities to assets, risks, compliance activities and business value so that it becomes possible to track key risk indicators as carefully and contextually as key performance indicators. Each company has a unique risk profile; those with the most accurate self-awareness know which risks they can accept and which lines they cannot cross.


Tags: automationboard of directorsinformation security
Previous Post

Ponemon on Third-Party IoT Risk: Companies Don’t Know What They Don’t Know

Next Post

DOJ’s Risk Assessment Expectations in “Evaluation of Corporate Compliance Programs”

Sam Abadir

Sam Abadir is Vice President of Industry Solutions at Lockpath. Sam has over 20 years of experience helping companies realize value through improving processes, identifying performance metrics and understanding risk. Early in Sam’s career, he worked directly with financial institutions and manufacturing companies to help them realize institutional value. As a Senior Manager at Deloitte, he focused on improving processes and increasing value for Global 2000 companies. In the past seven years, Sam has worked with software companies like Lockpath to build the tools that help companies manage risk and create value that enhance performance in a structured and efficient manner.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
Department of Justice emblem on American flag background

DOJ's Risk Assessment Expectations in “Evaluation of Corporate Compliance Programs”

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights