Establish a Risk Management Function

You must assign risk management responsibility and authority to either an individual or a department within your organization. It is a vital step in establishing a cybersecurity and compliance management program. This risk owner will guide the cybersecurity conversation at an executive level. They will help the organization to define their risk appetite and tolerance and will take accountability for the risk.

This role must have an explicit responsibility to carry out risk assessments and to oversee mitigation efforts. That person could be a CISO, it could be a compliance officer; or for a smaller organization it could be a VP of IT but it should be someone who is in regular contact with executives in order to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.

Executives should also be on the risk committee and meet on a quarterly or biannual basis depending on your organization to review the results of the risk assessment and resulting remediation efforts to make sure they are on track and that your organization is mitigating risks according to your risk appetite.

Cybersecurity is no longer an “IT issue” it impacts all aspects of doing business today.

“ Organizations develop risk mitigation strategies based on strategic goals and objectives, mission and business requirements, and organizational priorities. The strategies provide the basis for making risk-based decisions on the information security solutions associated with and applied to information systems within the organization. Risk mitigation strategies are necessary to ensure that organizations are protected against the growing threats to information processed, stored, and transmitted by organizational information systems. The nature of the threats and the dynamic environments in which organizations operate, demand flexible and scalable defenses as well as solutions that can be tailored to meet rapidly changing conditions. These conditions include, for example, the emergence of new threats and vulnerabilities, the development of new technologies, changes in missions/business requirements, and/or changes to environments of operation. Effective risk mitigation strategies support the goals and objectives of organizations and established mission/business priorities, are tightly coupled to enterprise architectures and information security architectures and can operate throughout the system development life cycle.”

– NIST Special Publication 800-39

For more information about how you can protect your organization’s sensitive data with a scalable, framework-based approach, let’s have a conversation.