supernav-iconLive Event: Join Drata at SaaStr Annual 2024

Contact Sales

  • Sign In
  • Get Started
HomeBlogDrata’s CISO: The Business Perspective of Managing Risk

Drata’s CISO: The Business Perspective of Managing Risk

Get a security expert's take on managing risk, assessing your program's effectiveness, learning when to take the right risks.
October 07, 2022
The-business-perspective-on-risk-management
Contents
Aligning Your Business and RiskAligning Compliance and Risk

Risk management is not an island unto itself. Instead, its policies and controls are there to support your overall business objectives. Ross Hosman, recently conducted an on-demand webinar discussing how to measure your risk management program’s effectiveness.

In the clip below, Ross talks about his perspective on risk, when you need to take it to support the business, and how risk management programs align with your risk tolerance.

Aligning Your Business and Risk

Every business takes risks. The only question is, how smart are the risks they take?

Assuming the right risks at the right time requires alignment between your organizational priorities and your leadership team’s risk tolerance. Security or compliance professionals need to understand both to create a risk management program that strikes the right balance and serves the business. Of course, risk management programs can never align perfectly with every business goal every time.

Sometimes you have to say no. Most of the time, you focus on the “how.”

An example Ross gives is a new, lesser-known sales tool that could increase sales by 60% but doesn’t have every security control you expect in a vendor. Is that a risk worth taking? Yes, that would be an intelligent risk with the right security controls or contractual commitments in place.

Another way risk management supports business goals is by driving organizational maturity. For example, onboarding and offboarding practices that may have been appropriate in a 30-person startup make less sense in a 300-person growth company—much less a 3,000-person enterprise. A supportive risk management program evolves and strengthens these practices before they become issues in compliance audits.

Aligning Compliance and Risk

When you do have to say no, compliance is usually the reason. Your risk management program must align with your business’s relevant compliance frameworks. Standards like PCI or HITRUST expect you to adopt specific security controls. On the other hand, SOC 2, HIPAA, or ISO standards offer more flexibility within their risk management expectations. General or specific, your business must do these things to avoid taking on excessive risk.

Yet, sometimes those risks may be worth taking to support your business objectives—provided you develop suitable mitigations.

Measuring the Effectiveness of Risk Management

Understanding the business perspective of managing risk is only one piece of the puzzle when it comes to measuring how effective a risk management program is.

Trusted Newsletter
Resources for you
Startup Checklist Blog List Image

Scaling Startups: 8 Steps to Expand Your Startup With Compliance at the Core

4 Challenges in Shift-Left Compliance List

4 Challenges in Shift-Left Compliance and How to Address Them

Drata + A-LIGN Benchmark Report Recap Blog Header

9 Key Challenges From A-LIGN’s 2024 Compliance Benchmark Report

Related Resources
DDRR RiskTrendst (1)
Risk Assessment Icon

Risk Management

Navigating the New Normal: 5 Takeaways From Our Risk Trends Report

Drataverse Digital Risk and Reward

Control Meets Confidence at Drataverse Digital: Risk and Reward

data-retention-hero

What Is a Data Retention Policy? Best Practices + Template

business-continuity-resilience-hero

Business Continuity and Resilience 101