Risk management has been a vital part of organizations not just to understand what the risks they are prone to, but also to have a clear picture of the gaps and areas of risks. Most organizations initially took up initiatives of preventing any breach or loss completely, resulting in risk avoidance. In this attempt, they lost sight of the measures that can be adopted to manage the risk factors within their companies, and in the process, decrease the risk. Another vital facet to this is how most organizations today have shifted toward metrics and measurements based on maturity frameworks, to assess and analyze risk factors and instill security within their firms. Most enterprises have also engaged in ways of aligning their risk categories with investments to improve their current risk management policies. In light of these trends along with several years of experience of being a CISO, I see ground-breaking innovation in the utilization of various standard frameworks. This is to assess the companies and evaluate on whether they have the apt tools and capabilities to respond to any unforeseen incidents and minimize its impact. After all, security infringement, the potential of risk and its appropriate management is a volatile and dynamic equation.
The customary frameworks and standards such as the ISO and the NIST Cybersecurity framework are at present a must for organizations to evaluate themselves against the other peers in the industry. Companies need to have the knowledge of how well-equipped they are to respond to risk, from the metrics perspective and also understand the operations of their management board. Organizations need to be well-informed about whether the management team is technical and are more focused on the metrics or a team is business-related and takes into consideration employee risk, third-party risk, and customer risk. Equipped with this knowledge, it then becomes incumbent for the security personnel to comprehend the organizations’ risk appetite and carry out further discussions along those lines. In my opinion, technology is no doubt, an integral part of our operations, but the utmost significance lies with our vendors and the relationships we create and sustain. The way industry leaders convey the organizations’ current scenario, when it comes to the risk appetite and the strategic initiatives to move toward their business goals is a lot like advertisements. It is required to keep in mind the people whom the message is addressed to —in a way that can be accepted and understood in a short span of time.
"Instead of investing in new tools and technologies, we should look into the already existing tools and gain maximum value from them"
Apart from facilitating a standardized work environment within organizations, it is also important for industry leaders to identify the right vendors and solution providers to enhance their risk management capabilities. For this purpose, it is best to have meaningful interactions with them about their experience and people. It is not just necessary to perform risk assessments and penetration tests but also have the knowledge of how different each provider is from several others in the marketplace today, while also making sure they serve the purpose and need that the organizations have toward achieving their end goals.
The other significant aspect that needs to be taken heed of is the employees within the organization. Most often than not, we keep pushing our teams to go through training at several levels. According to me, it is a far efficient approach if a basic awareness training is provided to all employees, after which only those job positions and people who are at a higher risk of phishing should go through enhanced training and testing while conducting extensive monitoring of their accounts.
In all my endeavors at Cushman and Wakefield, there have been some noteworthy initiatives that I have been a part of. One of which is to do away with passwords in the organization and protect our organization from attackers. We are also looking at data protection in a highly digitized world with multiple devices across multiple locations. This can be achieved by evaluating the cost entailed in various technologies and get true value from those. The other significant aspect that we are working on is the adoption of a behavior-centric security and awareness training. This focuses mostly on those people in the organization who are prone to higher risk, thus creating a more systematic evaluation of risks and establishing a secure and protected work environment. While operating within our organization, we take into consideration the technical, employee, customer, and third-party risk and accordingly aligning our investments to resolve these risk factors. We also take heed of our risk position while implementing enterprise risk programs within our organization.
Looking ahead into the future, it is not the risk management space that is transforming but changes in how people are reporting and analyzing the risk factors within any organization. Instead of investing in new tools and technologies, we should look into the already existing tools and gain maximum value from them. It is also critical for organizations to formulate a budget and make valuable decisions. It is all about building a success story within the organizations’ budget, to help achieve the business goals and the risk profile. Most importantly, all industry leaders should not be swayed by every innovation in the market but first exploit the full potential of the tools and technologies they already have. Also,they should keep the best interests of employees, third-parties, customers, and the overall business, at the forefront of the game.