Editor’s note: The following is a sponsored blog post from Hyperproof.
As the world we live in continues to change — and grow even riskier — leaders want to be more proactive rather than reactive. With fines doled out to companies each year totaling several hundreds of thousands — and sometimes millions — of US dollars for data breaches, security and compliance have never been more front-of-mind.
We sat down with Mike Caldwell, Sr. Program Manager for GRC at Outreach, the leading outbound sales execution platform, to see how his team communicates risks to leadership. After working in the GRC space for over a decade, including time spent working for the Government aligning risks to key business objectives, Mike understands that it’s all about being able to quantify risks in terms of objectives.
Establishing a Risk Baseline
When it comes to leadership, it’s often hard to know what they actually care about. Not everyone has a seat at the table, and it can be hard to know what goes on behind closed doors. But Mike has been there.
According to Mike, leaders at Outreach want to know inherent risks to the business as things stand today and potential risks for the year ahead. To establish that baseline, Mike and his team conduct an annual risk survey where they ask employees, new and tenured, questions related to different risks that could exist at the company to see how they respond.
The survey focuses on open-ended questions within ISO risk areas because they follow the ISO 27001 and ISO 27701 frameworks along with NIST SP 800-30 requirements. Outreach’s team includes questions that are accessible to all employees so even non-technical employees can understand and provide feedback. One example is security operations: Mike’s team defines what it means, provides a scenario specific to Outreach, and then asks how the employee ensures that they’re reporting the loss of security items (i.e., a security badge or cellphone) in a timely manner.
Following the survey, Mike and his team create a risk assessment presentation for the CISO and CFO. They quantify risk through a point scale, but because most things are processes and workflows and not quantitative data, it takes a lot of subjective experience and knowledge to inform the scale.
From there, based on likelihood and impact, they calculate points using formulas with a weight scale for each risk treatment plan. Risk treatment plans are essentially projects that help us to identify and implement controls to reduce risk. One plan may be more impactful than the other, so it would have a higher weight. Typically, the risk equation gives them a 1-5 score.
Once finalized, the presentation is given to the CISO and then the CFO, where they can then have conversations about which risks should be prioritized. Some may be moved around in the hierarchy, but the top risks don’t change. Then, those top risks are reported quarterly to executives and leadership.
Communicating in Business Terms
Each quarter, Mike presents the status of current risk treatment plans for Outreach’s top risks. Communicating in business terms to the C-Suite is vital, and Mike takes the list of risks from the survey and aligns it to the business objectives leadership cares about. Leadership is primarily concerned with the following:
- What was the residual risk at the beginning of the year
- What risk posture can we get to if all risk treatment plans are completed
- Where are we currently at
- Which risk treatment plans have been completed or deferred and the reasons why
The survey work informs the primary risk treatment plans for the year, as it shows the impact throughout the entire company. It’s also how they quantify risk so that it can be made into KPIs and tracked throughout the year via their risk register.
“I can’t imagine going to a board or a C-Suite and bringing a problem,” says Mike. Instead, Mike brings solutions to the table. “We identify the risks, show the projects we believe will help remediate risk, and then [how] we’ll have these controls in place,” Mike explains.
When someone communicates risk, it “gives [leadership] a warm fuzzy feeling,” and makes them feel better that someone is looking out for the company. Risk is being managed, not ignored until there’s a problem — and that’s what matters most to them.
The Role Technology Plays
When he communicates the company’s risk posture, Mike uses the Hyperproof platform to show where they stand. Often, dashboards are the best way to communicate the current state of risk to the CISO. While all of Outreach’s risk treatment plans are tracked in Jira, the Hyperproof dashboard is easier for the CISO to get a quick glance and instantly understand their current risk posture. Within the dashboard, Mike can show all of the KPIs that leadership cares about in one place.
Be Proactive, Not Reactive
Risk management continues to trend in the current state of the world. People are learning that if an incident or event happens, it costs a lot more after the fact to clean it up versus being proactive. So, it’s a lot cheaper and more cost-effective to be proactive.
Leadership teams would rather feel assured that someone is looking and working on risk than be vulnerable to potential breaches or failing audits because the right controls aren’t in place. And, customers can rest assured that their data and privacy are being protected to a high standard.
Communication is an essential and powerful tool that allows Mike and his team to ensure that the company understands how to best mitigate the risks to the business. By clearly communicating risk in business terms, they can make sure the entire company is in alignment, thus helping build a culture of compliance. Close alignment allows the business to holistically handle risk from the bottom up.