Drata’s CISO: The Business Perspective of Managing Risk
Get a security expert's take on managing risk, assessing your program's effectiveness, learning when to take the right risks.Risk management is not an island unto itself. Instead, its policies and controls are there to support your overall business objectives. Ross Hosman, recently conducted an on-demand webinar discussing how to measure your risk management program’s effectiveness.
In the clip below, Ross talks about his perspective on risk, when you need to take it to support the business, and how risk management programs align with your risk tolerance.
Aligning Your Business and Risk
Every business takes risks. The only question is, how smart are the risks they take?
Assuming the right risks at the right time requires alignment between your organizational priorities and your leadership team’s risk tolerance. Security or compliance professionals need to understand both to create a risk management program that strikes the right balance and serves the business. Of course, risk management programs can never align perfectly with every business goal every time.
Sometimes you have to say no. Most of the time, you focus on the “how.”
An example Ross gives is a new, lesser-known sales tool that could increase sales by 60% but doesn’t have every security control you expect in a vendor. Is that a risk worth taking? Yes, that would be an intelligent risk with the right security controls or contractual commitments in place.
Another way risk management supports business goals is by driving organizational maturity. For example, onboarding and offboarding practices that may have been appropriate in a 30-person startup make less sense in a 300-person growth company—much less a 3,000-person enterprise. A supportive risk management program evolves and strengthens these practices before they become issues in compliance audits.
Aligning Compliance and Risk
When you do have to say no, compliance is usually the reason. Your risk management program must align with your business’s relevant compliance frameworks. Standards like PCI or HITRUST expect you to adopt specific security controls. On the other hand, SOC 2, HIPAA, or ISO standards offer more flexibility within their risk management expectations. General or specific, your business must do these things to avoid taking on excessive risk.
Yet, sometimes those risks may be worth taking to support your business objectives—provided you develop suitable mitigations.
Measuring the Effectiveness of Risk Management
Understanding the business perspective of managing risk is only one piece of the puzzle when it comes to measuring how effective a risk management program is.