The Challenge: Although it’s broadly acknowledged that risk should drive security programs, that is easier said than done. Customers struggle to define, assess, measure, communicate and manage risks in a consistent and comprehensive manner. Risk is constantly changing with the business landscape, and a multitude of gaps in the typical organization, policy and governance processes make effective risk management a hard discipline to establish.
Our Solution: Security Architects Partners reviews its clients’ existing risk management policies and practices, finds the gaps and recommends improvements on a security roadmap (at a high level) as an inherent part of some of our assessment or architecture improvement consulting packages. A full Risk Management Program Review begins with a deep domain assessment of risk-related domains such as governance, risk management, policy, data classification, change management and metrics. We analyze and validate the current state and the gaps, then prepare detailed recommendations. Optionally, we can facilitate one or more workshops at the executive, CISO, or management level(s) and/or set up a retainer with your organization to provide more hands-on help putting our recommendations into practice.
Security Architects Partners’ core assessment and improvement objectives are to help the client discover or define any or all of following for their risk management program:
- Taxonomy of the types, levels and thresholds for risk in the context of the business
- Risk owners and risk appetites, how risk drives the selection of security controls at a general level
- Policies encoding the underlying taxonomies and role of risk management in governance
- Processes for measuring, assessing and reporting risk registers, key risk indicators (KRIs) and key performance indicators (KPIs)
- Linkage of risk taxonomy to the control framework in security policy, standards and guidance on architecture patterns to use
- Integration of risk level-appropriate assessment, approval, management and exception processes into project management, supplier or vendor management, software development lifecycles (SDLCs), and IT service management (e.g. change management, incident response) processes
- Risk estimation or quantification methodologies for planning and budgeting IT/security business cases
As noted, the Risk Management Program Review can utilize elements of our assessment, architecture imiprovement and custom consulting packages at a level tailored specifically for each client. The review can be delivered as a standalone offering, or it can support our other three Security Leadership Services at any appropriate level of breadth and depth.
Benefits: The Risk Management Program Review helps instill a comprehensive risk management approach into IT security and business governance. Risk assessment, approval and reporting processes will be actuated to flow through the organization using control and reporting metrics appropriate to each level of the management hierarchy, or governance matrix. Risk management will influence business decisions in a risk-appropriate manner, enabling the organization to move forward with IT, ecommerce and other business initiatives with greater confidence in its ability to maintain security, visibility and control. Performing risk management enables compliance with regulations specifically requiring its use. An effective risk management program can also improve the organization’s regulatory compliance posture by informing the selection of security controls and other risk-related decisions.