Changes to digital spaces in recent years have led to a sharp rise in IT risk for many organizations. With cloud adoption, digital processes, remote work and third-party relationships growing dramatically, new, complex and expanded threat landscapes now exist — and bad actors are eager to exploit them. And not all organizations are adequately prepared to handle the risk. RiskOptics’ Meghan Maneval talks about how leadership’s view of risk colors the compliance function.
It takes an average of 277 days for cybersecurity teams to identify and contain a data breach, according to IBM and Ponemon Institute, so every second a company lacks visibility or fails to respond actively gives bad actors a chance to cause significant damage. That’s why a proactive approach to seeing, mitigating, understanding and acting on risk is key to improving the effectiveness of security and, thus, cyber compliance.
But risk isn’t treated or even viewed the same in all organizations, and these differences can have consequences for a variety of stakeholders. When it comes to cyber risk, the details are in the eye of the beholder.
Two weeks after C.J. Rinaldi was announced as the chief compliance officer of Kraken, the cryptocurrency platform settled SEC charges, accepted a $30 million fine and agreed to shutter its staking services in the U.S.Read more
Rose-colored glasses and blinders
According to Forrester, just 35% of security leaders believe that compliance drives the right focus and behaviors within their business. This disconnect needs to be remedied, and better risk assessments are the answer. Leaders recognize that compliance needs to be supplemented with a risk-first mindset. Budgets are expanding for risk-first approaches, with 59% of security leaders planning to increase investment in risk technology, citing risk management as a business priority almost twice as often as compliance.
Some companies think adhering to compliance regulations is enough to protect an organization. While that might be true in some lucky organizations, this approach is not as all-encompassing as the current threat landscape requires of security leadership.
Yes, regulations and policy changes are core to a strong compliance program, and there are ways to digitize and automate the process. Anticipating the threats looming in certain markets, regions and economic conditions will help information security leaders and chief information security officers (CISOs) lead proactive and agile risk management programs. Leaders who subscribe to compliance alone without considering their organization’s risk appetite will be missing the full picture of risk. Not acknowledging this aspect of security is akin to wearing rose-colored glasses — or worse, blinders that obscure the vulnerabilities impacting companies.
That is not to say that a compliance-first approach is wrong. However, supplementing existing compliance activities with a risk-based approach grounds the program in the very real, imminent threats that surround their businesses. For example, if a company wants to expand into Germany, the compliance-first approach is likely to involve a gap analysis of the EU GDPR. In contrast, a risk-first approach begins by identifying the unique threats, vulnerabilities, processes, policies and third-party providers in scope relevant to the Germany expansion. Next, the impact and likelihood of each are assessed, and complementary controls are identified to reduce said risk.
On the other end of the spectrum of risk and compliance, some leaders use magnifying glasses. This kind of leader is buried deep in the specifics and analysis of their risk programs, generally, because they don’t understand what is being done holistically to reduce risk. Magnifying glass users are great at getting granular in their approach to compliance, but they often miss the full view of how risk affects business and how it can be leveraged to ensure that stakeholder investment is used wisely.
A magnifying-glass approach to risk often stems from a lack of confidence in risk-reduction activities, leading to unmet goals and wasted resources. For the compliance team, it can also be extremely tedious. Prioritizing the details rather than the big picture can make auditing longer, leading to delays in determining control efficacy. Each day spent collecting evidence and assessing controls is one more day your organization isn’t actively preventing risk. Often, by the time an assessment is complete, the data is outdated because of an infrastructure change, new or changing records or new vulnerabilities. This can leave the organization vulnerable, while the compliance team is hooked on the nuances.
These approaches or perspectives — rose-colored glasses, blinders and magnifying glasses — are no longer adequate for modern organizations.
Leaders can supplement their compliance processes with a risk-first view of the business. When choosing the right approach to risk management, it’s important to select a program that defines risk within the company’s business context. A modern risk management program can and should help organizations gain high-level insight into their compliance and risk posture in the context of their business — allowing companies to break down silos, eliminate gaps and reduce blind spots.
Cybersecurity leaders can deliver better outcomes with less effort by buttressing their compliance program with a risk-centric vision. A risk-based approach puts cyber risk in a business context so that CISOs and CIOs can connect risk to the business objectives prioritized by the C-suite and board. With visibility into the organization’s overall risk posture, leaders will have an accurate and relevant view into how their actions and investments are impacting business success.