How do you communicate risk in your enterprise?
Sort by:
I've come from the risk world and reporting where I have found that people may glaze over, so my mantra is that the risk reports have to be relevant, timely and actionable. I want them to do something. And so what we try to do to make that happen is think qualitatively and quantitatively. If we're thinking about cyber, we are trying to figure out where the key risks are, what keeps us up at night. Those key risks should be mapped to something that we're doing to address them. And then what are the metrics that actually show how well we're doing? So for cyber, your IT infrastructure, actual data breach incidents, exceptions to your process, etc. I've never met a metric that's about to tell you that you're going to have a problem. People see numbers and metrics without context and say, “so what? What am I supposed to do with this?” So my focus has really been to make it more relevant so that we're bringing things to the table and we say, "We need to change our resource allocation or we need more money." We might not get it but it helps to make it more relevant.
We've tried a lot of that and we've come to the realization that the business is just not mature enough to interpret that type of stuff. They want to know good vs bad, and they want to see yellow, green, red. That's just where we are. Keep in mind that people who run a County are representatives of the people, they're not necessarily business people. And so trying to have that conversation is a thin line., especially when they think that you're just IT security.
That’s an amazing skill set that you're gaining: heavy influencing at a level that's off the charts. Even in my world, when I try to influence decision makers, it comes down to what really motivates them. That's the front of your conversation. So you are assessing your stakeholders and immediately what's going to motivate them. And then you build your discussion off of that. I know it's probably frustrating but it's an amazing set of skills right there.
When I try to explain risk, I try to be as granular as possible and say, "When you want to talk about risks, our culture is going to be the biggest risk because we don't know what we don't know." There's six different IT departments, and the biggest hurdle I have to climb is that there's no compliance audit for the County. The County has an internal auditor; however, the internal auditor’s compliance scope is limited to finances. There is a need to educate on the importance of compliance and highlight the risks of non- compliance. I leaned heavily on convincing the elected official to make decisions that are defensible to protect their brand and reputation.
I’m not IT security, I have a director that manages IT security. I'm enterprise risk. I'm a business person. And I try to dumb myself down by letting them know that I'm not going to say the word firewall, I'm not going to say fishing, I'm not going to say any of those words to you because I'm a business person. Now let's talk about how I could be your strategic partner to help you achieve your mission and goals. And so it's really trying to build trust, trying to make my services valuable to the businesses so they can say, "Hey, I can't deliver my product without the infosec team. I can't deliver my product and be successful without including the information security team." I'm getting it through agile processes of small wins, showing instant risk reduction of certain aspects of business and allowing those lessons learned to wrap back in and try to approach it again.
Don't let a good crisis go to waste when it happens, right? It sounds like you're doing all the things that you need to be doing. Making it real for them and all that
We certify against seven industry certs, so the problem is, each of those frameworks have underlying similar performance expectations, but the narrative terminology language is different. So we ended up creating an integrated risk framework to lay the controls on top of each other. It accomplished a couple things: One is, it helps minimize audit fatigue, because you're pulling evidence against the same controls and you have one or two people that are presenting that evidence and it becomes an absolute. It just is really painful for the organization. The other is it provides the ability to quickly attest to good compliance practices, security practices. You can quickly interpret it. So it is a little bit of an upfront investment to create that framework but it buys you some time.
I explain risk is simplistic terms centered around the audience receiving the risk. Different audiences understand different terminology, so my approach is to make sure I communicate in terms they can understand.