The pace of change in the age of digital business and the Internet of Things forces risk and security professionals into a state of continuous conflict, between the business wanting to drive innovation, and the security team needing to rein in risk.
Indeed, one of the greatest challenges security teams face is not how to reduce risks but how to convey the benefits of risk management to leadership, says Paul Proctor, Gartner vice-president and widely respected analyst.
Much like chief compliance officers seeing everything through a compliance lens, chief risk officers tend to see the risk side of things along. Executive decision makers, on the other hand, hold a dual perspective: They want to know the business is adequately protected against risk—but they also need to weigh the risks of yesterday and today against the opportunities of tomorrow.
Where Risk Management fails
Having reviewed more than 300 board presentations on risk and security, Proctor found that in the vast majority of cases, the reports:
• Contained too much information—and fear.
• Came across as overly complex.
• Failed to align with wider business strategies.
• Lacked connection to board-relevant decision making.
The challenge is how to get the two sides to work in harmony. To do that, security teams need to learn to communicate the benefits of security changes as much as they do the risks, says Proctor.
How to talk risk to the boss
In his recent report on linking risk and security to corporate performance, Proctor provides eight practical tips for communicating benefits to executive decision makers:
1. Formalize risk and security programs—A formalized program is one that is repeatable and measurable. It contains four key phases: govern, plan, build, and run.
2. Measure program maturity—Using a maturity scale to measure your program identifies gaps and opportunities to improve. Maturity is also a good abstraction for executive decision makers who do not always understand technology.
3. Use risk-based approaches—Risk management is an explicit recognition that there is no such thing as perfect protection.
Organizations must make conscious decisions about what they’ll do, as well as what they won’t do, to mitigate risk. Stakeholders in non-IT parts of the business must make these decisions, not leave it up to IT professionals alone.
But more important, risk managers must take a proactive approach to risk assessment and management.
They need to manage risk, not be managed by it.
4. Use leading indicators of risk conditions—Risk managers need to define new leading indicators of business performance that includes both key performance indicators and key risk indicators. They should not focus exclusively on IT-centric KPIs. Doing so perpetuates the notion that IT risks relate only to IT.
5. Don’t bog down in numbers—Most organizations have a plethora of operation risk and security metrics. While these are extremely valuable for internal operations, they have little value to business decision makers.
Risk managers should map KRIs to KPIs. Good KRIs are simple and measurable and have a direct impact on multiple KPIs.
6. Link risk initiatives to corporate goals—Using fear, uncertainty, and doubt to get executive support doesn’t work.
Executives don’t want to hear how bad everything will be if they don’t invest in risk management and security. It’s equally useless to cite returns on investment because risk does not return a tangible dollar for dollar value.
The best way to win executive support is to demonstrate business value.
7. Remove operational numbers from executive communications—Don’t use operational metrics to communicate at a business executive level. Executives lack the background and training to understand the meaning in an operational context.
8. Clearly communicate what works and what doesn’t—In a risk-based world, a business-oriented audience wants to know:
• What are our risks?
• What is our posture?
• What do we do about it?
Communicate those three points well, says Proctor, and you’ve won half the battle.