What does risk mean to you?

By Matt Middleton-Leal, Managing Director Northern Europe, Qualys.

  • 9 months ago Posted in

There’s a famous quote attributed to George Bernard Shaw: Britain and America Are Two Nations Divided by a Common Language. In the UK, chips are french fries, while US potato chips are crisps. While they are all potato products, they are very different and you don’t want to be disappointed! Without that understanding, it’s easy to miss some of the meaning.

The concept of risk is the same. Say “risk” to a Chief Information Security Officer, a Chief Finance Officer and a Compliance leader, and they will have very different ideas in mind of what you mean. The challenge around risk is that it affects the whole business, so silos or misunderstandings can have a material impact.

So how can we overcome this problem, and get more understanding across security, finance and compliance? How can the CISO, CFO and Compliance function leaders understand each other better?

Centralise your risk operations

The hurdle to get over is how data is siloed across the organisation. Enterprise IT teams support multiple different digital platforms that are in place from legacy client-server deployments all the way through to modern cloud applications and software containers. Each and every application will have huge numbers of components that all have to be tracked. Any potential outage or software vulnerability will have an impact on the business, so standardising on how much that will cost is an essential move to get everyone to the same point of understanding.

Putting a cost on a failure - whether that is a full scale data breach due to a software vulnerability, through to downtime needed to prevent an attack - is a critical step to make this successful across the business. This exercise is called cyber risk quantification - for many CISOs, this is something that they will need to carry out rather than delegate to their security analysts in future, as it ensures that they can have full and frank conversations with the rest of the business around risk. It also helps the CFO and the Compliance team speak around security risks in a common language that they and their peers can understand, rather than going into their own jargon. Linking it to money makes it easier to explain risk to the rest of the business as well.

Centralising this data and creating a risk operations centre (ROC) to manage this process enables you to get everyone together. While each team might need a different view on the data itself, having one central point to manage and control operations makes responding easier to coordinate and prioritise. Similar to a security operations centre, or SOC, the ROC approach involves having the right people able to make decisions based on the right context.

Improving results around risk

The goal for a ROC deployment is to improve how risk is handled, processed and ultimately reduced across the organisation. For the CISO, risk reduction comes from better understanding of how much risk the business faces at any given point due to software vulnerabilities or particular threats, and how that level of risk changes over time. By integrating the ROC as a place where decisions on priorities get made with the SOC to take care of security and remediation programs, the CISO can direct resources to the issues that need to be addressed urgently. This also makes it easier to collaborate across software development, IT operations or other teams that are responsible for carrying out mitigations or updating assets, because they will have the context for those decisions as well.

For the CFO, getting more insight into risk across the business provides them with a better understanding of the financial impact that potential events can have. Rather than looking at data that makes sense to IT teams, the CFO can draw a direct line between risks and mitigations. While this can support decisions around IT and security budgets, it can also be used to plan around other mitigation strategies, like choosing the right cyber insurance approach and buying the right levels of coverage rather than policies that sound right, but would not pay out adequately in the event of a data breach or other event.

For Compliance teams, working with the rest of the business on risk helps them to plan ahead around current and future regulation. Companies involved in critical national infrastructure in the EU and beyond have to implement resilience policies to meet NIS2, while those in finance and banking have to comply with DORA from January 2025. Both of these regulations stipulate specific requirements around security and resilience planning. From a risk perspective, any failure can lead to significant fines. Further regulation around product safety and AI may also affect businesses too. Understanding that potential impact and where gaps exist is harder when you are working in a silo, so having real world financial impact data to use will support any future planning and investment. 

However mature you are as an organisation around security, there are always improvements that can be made. Focusing on risk - what issues exist and what they may cost the business if something goes wrong - makes it easier to work across teams to make those improvements. By speaking a common language around risk that is directly linked to financial impact will ensure everyone can focus on how to make those improvements, and ensure they stick over time. With a ROC, everyone can speak the same language about reducing risk.

Lovelace’s legacy: building a future where women lead in tech.
By Jason Bayton, Android Enterprise Expert and Product Lead at NinjaOne.
By Kiva Kolstein, President and Chief Revenue Officer at AlphaSense.
Many UK businesses are still reeling from last year’s global IT outage that brought systems to a...
By Kyle Hauptfleisch, Chief Growth Officer, Daemon.