The Challenge: Although it’s broadly acknowledged that risk should drive security programs, that is easier said than done. Customers struggle to define, assess, measure, communicate and manage risks in a consistent and comprehensive manner. Risk is constantly changing with the business landscape, and a multitude of gaps in the typical organization, policy and governance processes make effective risk management a hard discipline to establish.
Our Solution: A Risk Management Program Review begins with an assessment of risk-related domains such as governance, risk management, policy, data classification, change management and metrics. We analyze and validate the current state and the gaps, then prepare a full set of detailed recommendations and suggested templates.
The Risk Management Program Review helps clients discover or define any or all of following:
- Taxonomy of the types, levels and thresholds for risk in the context of the business
- Risk owners and risk appetites, how risk drives the selection of security controls at a general level
- Policies encoding the underlying taxonomies and role of risk management in governance
- Processes for measuring, assessing and reporting risk registers, key risk indicators (KRIs) and key performance indicators (KPIs)
- Linkage of risk taxonomy to the control framework in security policy, standards and guidance on architecture patterns to use
- Integration of risk level-appropriate assessment, approval, management and exception processes into project management, supplier or vendor management, software development lifecycles (SDLCs), and IT service management (e.g. change management, incident response) processes
- Risk estimation or quantification methodologies for planning and budgeting IT/security business cases
The Risk Management Program Review can also utilize elements of our assessment, architecture improvement and custom consulting packages at a level tailored specifically for each client. The review can be delivered as a standalone offering, or it can support our other three Security Leadership Services at any appropriate level of breadth and depth.
Benefits: Clients gain both an assessment of their current risk management process, and a full set recommendations and suggested templates for a state-of-the-art risk management framework. The process instills a comprehensive risk management approach into IT security and business governance. Risk assessment, approval and reporting processes will be actuated to flow through the organization using control and reporting metrics appropriate to each level of the management hierarchy, or governance matrix. Risk management will influence business decisions in a risk-appropriate manner, enabling the organization to move forward with IT, digital transformation, and other business initiatives with greater confidence in its ability to maintain security, visibility and control. Performing risk management enables compliance with regulations specifically requiring its use. It also improve the organization’s regulatory compliance posture by informing the selection of security controls and other risk-related decisions.