With cybercrime and related threats on the rise, and increased global spending on cybersecurity with not much impact on risk reduction, there is a need for change. “Let’s switch our mindset from the old management style that uses outdated thinking and slows remediation, and instead look to a forward, modern perspective,” said Tony Luciani, PCI QSA, CISA, HITRUST Assessor, senior manager, product solutions, Audit Board, at his ISACA Conference North America session, “Three Forward-Thinking Practices to Manage IT Risk.”
There are three practices Luciani considers to be important for managing risk:
- Align cybersecurity with business goals.
- Work faster, smarter and “win” together.
- Provide actionable insights that your board can understand.
Align Cybersecurity with Business Goals
For the first practice, Luciani said you must examine your business from multiple perspectives. Identify your most critical partners and stakeholders, including internal teams and key vendors, and start embedding strong security practices in those areas. You will need to rethink cybersecurity as a business priority – map out your organization’s overall revenue goals and determine competitor benchmarks. Lastly, ensure there is common understanding in the organization; resolve any gaps between the IT team and the board.
Work Faster, Smarter and “Win” Together
Luciani’s second practice involves “breaking down knowledge silos and explaining cybersecurity to non-IT personnel.” Luciani shared a number of best practices for communicating with non-security personnel, including grouping/consolidating, standardization, sharing with operations for transparency, a single source of truth, and collaboration.
“Make it a team effort: leverage a solution to enhance collaboration,” Luciani said.
Provide Actionable Insights That Your Board Can Understand
The third forward-thinking practice Luciani shared has two components: find common ground and determine competitive benchmarking. Luciani gave suggestions for sharing insights with the board, including:
- Be concise. Avoid the noise and instead only share what is relevant to the underlying business need.
- Measure key performing indicators and use the data to make your case in budget discussions.
- Share data that demonstrates the return on investment on cybersecurity investments.
“The need to be better than the competition is always a concern of the board,” said Luciani. “It’s important to track internal progress, but you also want to know what the competition is doing. This can be vital to the organization.”