The business opportunities provided by technology related innovation are immense but these opportunities are also accompanied by an ever increasing level of risk.
How does the executive team obtain clarity and insight to drive the strategic agenda and support critical resource and investment decisions? How do risk and compliance leaders continuously assure compliance and regulatory requirements from Privacy through to PCI? In this article we provide an overview of a recommended approach that provides executives with a clear whole of business view whilst fostering an organisation wide security culture.
Two part approach
The approach is concerned with two viewpoints, the enterprise risk view and your Business Performance Management regime. Each business is focussed on meeting their strategic objectives, delivering shareholder value, and meeting operational targets. In meeting these objectives all staff, not just the executives, namely CTO, CIO, CISO, have a responsibility for security. By incorporating relevant, targeted assurance metrics into the overall business performance risk impact and ownership is assigned. In this way an organisational wide security culture is enabled by business stakeholders who are accountable for key components of security risk and empowered to act and make a difference.
The second, and equally important part, is the Executive Security Risk Dashboard showing performance against key risk components. The target audience for this dashboard is typically the executive (C-Suite), Risk and Audit Committee and Board of Directors. All these executives have a fiduciary responsibility to ensure security is front and centre and that the organisation is taking the requisite steps and making the right investments to secure data.
Through this two pronged approach individuals responsible for the management of risk across their area of the business take an active role in reducing risk with improvements reflected in the overall performance of the business, whilst critical cyber and risk metrics are provided to give the precision and insight required to monitor and manage the whole of business risk posture.
The role of Business Performance Management
Government agencies and publicly listed companies commit to some form of objective management across all aspects of the business from finance through to people and culture. Some organisations take a structured approach using a Balanced Scorecard or related approach whilst others may utilise ad-hoc targets and objectives. Regardless of the path taken, all approaches aim to maximise success by rewarding the desired result and behaviour across the organisation and present a rolled up view of performance to executives, investors and range of external stakeholders.
Seldom do organisations tie information or cyber security related metrics to a business unit’s performance thus unwittingly supporting the view that security is an “IT problem”. Tieing specific security and risk measures and outcomes to performance is one of the best ways to uplift the organisation wide security culture and posture.
The key is to commit to an enterprise cyber risk appetite statement and have commitment and buy-in from the executive and Board to ensure the necessary investment and activities are planned and delivered against. Performance measures including OKRs, KRIs and KPIs can then be chosen which are relevant to the business, achievable and measurable. An example could be measuring the creation and maintenance of the supplier risk ratings and then having performance against these measures contribute to overall customer targets along with common metrics such as client satisfaction and retention.
Executive Security Risk Dashboard
The second critical part of the executive view is the Executive Security Risk Dashboard, the single pane of glass view for the executive risk committee and anyone with a fiduciary responsibility to the business. The dashboard effectively provides the bridge between measurable and actionable language of ICT and the business showing the top level appetite and target risk rating along with the organisations posture against key areas such as:
- Insider attack
- External Attack
- Physical security
The executive dashboard represents the top level of all Risk, Information and Cyber security reporting. This would be underpinned by the Security Risk dashboard which is in turn supported by a detailed control dashboard and underpinning service level and key performance indicators.
To provide executive with the visibility they require we recommend starting with a four step approach:
- Look at your business’s external stakeholders, regulatory alignment, compliance requirements, objectives and business measures.
Ask yourself – What is important and Why? How can it be measured? Who is ultimately responsible?
- Understand the top level governance body for managing risk in you organisation and then determine which risk categories and associated controls are critical to the business’s
- Develop a future state vision and underpinning objectives across both areas.
Gain support and buy in. Develop a plan
- Implement the approach, rolling it out with a well thought out and carefully executed communication plan
Mantel Group’s Information Security specialists can assist with each and every step from analysing the business requirements and aligning to the business through to setting up tools and technology to monitor and measure your ICT environment.