We encourage security departments to present a business-based view of their programs by grouping identified security risks, as well as security mitigation strategies, into the list of common risk categories (of course, all organizations are unique, and more or fewer categories may be used depending on industry and size - or even a category specific to their industry or sector). This grouping can also be compared to the critical organizational risks the Board has identified. This way, the security function can present a direct link between each business category and the potential use of a security program or service to mitigate the risks identified. We have found this can lead to a number of positive results:
Improved communication. Because the flow of information is critical to effective risk management and effective risk oversight, it behooves the security leader to communicate risks and solutions in a framework that is already familiar to the Board. Grouping risks into board-level categories creates this framework, ensuring the information presented can be easily understood.
A business-first perspective. Any business unit can easily become so mired in its own operations, requirements and challenges that the broader goals and needs of the enterprise become obscured. This exercise enables security leaders who fall victim to such a mindset to break out of their narrowed view and see their function through the eyes of the business.
Value identification. When security initiatives are presented in the context that resonates with the Board, they may have a clearer view of how and where security adds value to the organization. In addition, the analysis may uncover untapped opportunities for security to help reduce redundancies, assist other functions or expand programs to create new value. In this regard, well-documented metrics provide enormous value to all parties.
Strengthened support. The SEC helps conduct board-level risk analyses based on its research of corporate enterprise risk assessment plans and strategies. Security leaders who have undergone this analysis report that displaying the risks in line with the values of the Board helps them gain support and move initiatives through the organization.
If you want to learn more about the Board-Level Risk Model, please see Managing Enterprise-Wide Board Risk.
Answer provided by Kathleen Kotwica, EVP, Security Executive Council, and Principal Analyst, Security Leadership Research Institute and Greg Kane, Director of I.T. and Product Technology, Security Executive Council.