Risk Transformation: Bridging Assessment and Execution

Risk Transformation: Bridging Assessment and Execution

Risk transformation is a critically important concern, but it can be difficult to bridge the gap between assessment and implementation. Many organizations have been audited and assessed, often multiple times (with respect to security footing, data privacy, maturity and gaps relating to appropriate regulations [PCI, GDPR, CCPA, HIPAA, etc.] and frameworks [NIST, ISO, etc.). But they have difficulty remediating the most pressing findings because their assessors/vendors are routinely incapable of explaining how to fix the problems they’ve identified.

 

Even when multiple reports highlight the same issues, the accompanying recommendations – which typically take the form of a roadmap driven by the assessor’s opinion, rank ordered by risk ratings dictated by whichever framework is being used – are frequently too high-level to be actionable. The result is customers left feeling they have to “boil the ocean” to realize even short-term results (or worse, they’re left feeling that the duration of any program is prohibitive).

 

Why is this the case? For starters, organizations are often hampered by internal and strategic leadership issues. Consensus and buy-in can be hard to come by, especially in places that still regard cybersecurity as a sunk cost/technical function. In this environment CISOs can have difficulty articulating and demonstrating the business value of security and prioritizing the initiatives promising the greatest impact. And operationally, there can be lack of clarity on the dependencies required to implement and execute changes.

 

A truly strategic risk transformation program helps solve these issues by providing a systematic approach to defining and planning implementation.

 

Such an integrated approach leads to:

 

  • Normalization of assessment data to better link findings to specific initiatives within the organization
  • Development of initiative designs tailored to the customer's security architecture
  • Budget prioritization that helps move the needle in the short term, including identification of quick wins
  • Understanding and mapping of critical dependencies and success factors
  • Stronger internal communications articulating the initiative, its benefits to the organization and a description of how each audience can achieve consensus and buy-in on project initiatives
  • Better project management in execution of specific initiatives from design to testing to implementation/operationalization
  • Overarching program management to deliver a set of initiatives from both a time and budget perspective
  • Continuous improvements through iterative feedback of the successes and issues of a program is deployed to streamline execution and drive program trajectory

 

The goal of cybersecurity integration is to help clients design programs and optimize processes and technologies that drive risk remediation insight upward into the organization’s business strategy and executional and operational expertise downward.

 

In other words, risk transformation isn’t a one-and-done. It’s continuous, iterative and programmatic.

Gregory Thompson
Senior Manager – Risk Management and Transformation
Greg has 25+ years within the information technology and security sector. In his current role he helps Optiv clients develop and implement security architecture and risk transformation programs.