Author: Rick McElroy, Security Strategist, Carbon Black
In my previous blog, I discussed my intent to highlight the 10 most important questions CEOs should be asking their teams, through a series of blog posts.
As the first blog in this series, let’s start with the first question CEOs should ask: “How can the structure of the team in-charge help us to better manage risk?”
By answering this, you will gain insight into the overall structure and maturity of risk management in your organization. Here are some guiding questions to help you kickstart the process of achieving a well-defined risk management strategy:
Who is actually responsible for managing and accepting risk in the organization?
Do you have someone responsible for risk management? Is there someone responsible for information security? Is someone responsible for compliance (if applicable)
Is this decentralized or centralized? How many staff members are dedicated to managing risk?
Your team should be able to describe how the overall program is managed and organized.
Bonus points for organizations who have these answers ready for external auditors or customers who may ask. Risk response must be on-time, immediate and should not need a long data-gathering exercise.
What is our risk tolerance?
CEOs and boards should drive the acceptable level of risk tolerance for an organization.
“Risk tolerance is defined as the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame. An organization’s risk tolerance level is the amount of corporate data and systems that can be risked to an acceptable level. Having a defined risk tolerance level means the security program knows the degree that management requires the organization to be protected against the threats they face.”
Giving tolerance guidance to your team will ensure they align to your Commander’s intent – the purpose and conditions that describe your idea of a successful outcome of a mission – and allow them to manage risk at appropriate levels.
When is risk being considered?
Is it baked into the upstream decision-making process or is it considered throughout the life cycle of the business?
Your team should help you understand where risk decisions are being made and if the gates are commensurate with the risk. This will also speak to the maturity of your risk management program.
Where is the current list of risks?
Risks come in all shapes and forms. Some risks are really business opportunities waiting to be taken advantage of. Organizations that can manage risk well will not only do a better job of protecting itself from cyber threats but will also gain a long-term competitive advantage. Risk is not always inherently a bad thing.
For most organizations risks will fall into the following category:
Industry and Competitive Risks
Knowing where to get appropriate information in a timely fashion is crucial to making accurate risk-based decisions. For example, mature organizations have moved necessary sources to online dashboards to update downstream risk data in real-time.
How are risks being managed and communicated? What’s the cadence of meetings?
This final question will allow you, as the CEO, to understand whether your organization embraces open and transparent risk discussions and identify unknown risks that are not detected, communicated or managed appropriately. This will also ensure risk discussions are a part of the ongoing business process and not just when risks uncover.