The last few weeks of each year often bring time for reflection, evaluation, and planning to set the start of each new calendar off on strong footings with clear direction. Taking time to evaluate your cyber risk program honestly, using evidence and achievement to support your review, represents a step toward greater program maturity and effective governance. It also provides a clear direction for planning 2021.
To begin, did you have clear goals for your cyber risk program in 2020? If not, setting the objective to state clear ones for the coming year is an important step forward. These goals should be stated in a manner that can be supported by clear operating evidence generated by the practices inherent in your risk program. Otherwise, you will be limited to weaker subjective review processes, subject to the whims, opinions, and agendas of others. That’s rarely a positive position to hold. If you did have clear goals for your 2020 program, how did you fare? What was achieved? Was anything exceeded? What shortcomings, omissions, or opportunities can you identify? And, most importantly, what metrics and other evidence can you offer to substantiate your assessment? End results are only one consideration. Process counts too! Methods and procedures determine what evidence, metrics, and documentation are produced through the pursuit of goal achievement. They proscribe the capital, human and material, necessary to provide services. As such, they also determine the cost basis for each service or practice delivered, and sum to the overall funding requirements to sustain your cyber risk program. They can also be indicators of how well you supported partner and stakeholder participation.
Organizing Your Evaluation
Consider the structures you’ve had in place in 2020. Is your cyber risk program organized around a documented framework such as NIST’s Cybersecurity Framework, COBIT, or another, whether used natively or customized? Is it structured around some other internal standard or custom framework? A well-formed comprehensive framework can offer an excellent scheme for organizing and communicating your program evaluation. An advantage of most frameworks is their reliance upon clear controls to define demonstration of capabilities. Executing these controls should offer opportunity for metrics, documentation, and clear results. Keep in mind that controls frameworks represent an upward-facing perspective upon risk, while threats, risk factors and appetite considerations are most often downward-looking upon an organization, i.e., a top-down perspective. Combining these two views of risk is an excellent approach to establishing balance between a controls orientation and a business risk tolerance perspective. Together this balanced approach creates a powerful operating environment for managing risk across your enterprise.
If you established goals for performance against these, you have a clear way of measuring and demonstrating performance against them. If not, there are often published industry standards of performance that you can measure against your program’s results. What key takeaways for 2021 have you identified? Are there new internal goals for 2021, business or cyber risk specific, that point to initiatives to plan for in the coming year? Keep these separate from evaluations of this year, so that current year performance supports but does not complicate projects for 2021. Save them for your report, where you will indicate needs for 2021 founded upon outcomes from 2020.
Findings and Evaluation
Take a candid look at your program. What aspects were effective? Which were less so than you planned? What evidence do you have to support your assessments? There are a number of program aspects to consider in your review. Be sure to consider at least these:
- What framework did you employ? Was it customized to your business?
- Were you also operating under some it standard, i.e., iso2700x, COSO, or other?
- How well did the processes for assessment, scoring and reporting work?
- Was your use of subject matter experts (SME’s) efficient? Reliable?
- How well did your cyber risk program integrate with other risk management efforts at your company?
- Did you partner with other internal resources, including internal audit, finance, human resources, and it? How did they see your program’s partnership and performance?
- How did you perform against budget?
- How economically were threats mitigated and managed against the potential impact of any realized risk scenarios?
- Where do you have talent or non-financial resource opportunities?
Often cyber risk program managers focus upon assessment results and methods alone; refining risk scoring methods and reporting practices as evidence of increasing maturity. While these are important, by themselves they represent an incomplete picture of program performance. The risk assessment process incorporates a good deal of training, coordination, and communication in general. How well did your workflow facilitate timely assessment completion? Were subject matter experts responsive? Did they have clear guidance on how to respond, including the level of detail you needed, how to request additional documentation or details, and how to use any automated tools you have? What do they have to say about their interaction with your processes? Canvassing other stakeholders in your process, from it, internal audit, compliance, hr, finance and facilities can produce useful input too. You might also want to survey management about reporting. What key questions might they have about cyber risk management that your current communications to them do not address? What are you currently providing, if anything, they feel extraneous to their needs?
Consider External Influencers
How well did your cyber risk program support compliance efforts? External assessors and compliance activities often seek considerable evidence to assure basic controls are in force and effective. How well did your risk program help provide that needed documentation? Given the current realities of a covid challenged environment, be sure to include input from your business continuity leaders. How has your cyber risk program been challenged and how have you addressed the needs of a restricted or remote workforce? Were your Third Party Risk Management (TPRM) practices well integrated into your management of cyber and other operational risks? Were procurement staff able to partner effectively with your program, or were your needs seen as a barrier to timely resourcing of needed materials, talent, and services? What recommendations have these partners offered to make leveraging your efforts simpler and more efficient? If it’s easier to incorporate cyber risk management into these processes, the scope of protection from cyber threats will foster completion and effectiveness.
Building the Report
Once you’ve gathered all this input think about how to represent your findings. Prioritize your assessment to identify the top 5 key takeaways that will be reflected in your plan proposal for cyber risk management in 2021. Organize your findings around those, and for any residual, identify them as opportunities to advance and address if resources permit. You cannot effectively plan to do everything. Prioritizing will make it easier for senior management to understand the key outcomes, most pressing needs, and the justifications for your program requests when promoting your budget for the coming year. If your budget process is already complete, and there are significant needs remaining to be addressed, this is an opportunity to present the need for specific discretionary funding to shore up important risk exposures that may have been left under-financed through regular budget preparation cycles.
Sharing Your Findings
Every organization has its own risk management hierarchy. Your report should be easily understood and offer value for everyone along that path. Its organization and content should clearly answer these questions:
- How did you perform against goals?
- What opportunities remain?
- What key recommendations do you have?
- What benefits/outcomes will they foster?
- What do you want/need to achieve these recommendations?
Keep in mind that exhaustive detail does not create great communication. Particularly when you meet with senior management, clarity and conciseness are key. Have backup detail ready to address questions, of course, but spare your audiences the need to dig through mountains of detail, just to get to key points.
About Your GRC
If you have GRC software, this is the time to review its features and its configurations. Are current workflows, modules, and integration points with various data feeds all operating with the efficiencies you expected? What changes might you make to more tightly tailor its performance to your changing operating needs? Does your platform offer embedded functionality with reporting and assessment tools? If not, how are you compensating? How well does external data from supporting partners to your GRC integrate into your assessment data stores? Do you have a document repository that’s easy to search? How well does your GRC vendor support your use of its software products? If you have considered refinements to risk scoring, reporting, or any other features, now is a good time to explore what work will be necessary to make the changes you want.
Ideally, adjustments can be achieved through configuration changes. Avoid seeking requests for code customizations. Changes achieved through customized code are expensive, and create maintenance overhead that can drain resources away from more mission-critical matters. Often, customized code may not always be supported immediately as part of any core software release, so updates require they be omitted from update application, then reloaded, and then tested to see what, if anything, has broken. No vendor can test every possible combination of configurations against every customization, so the testing burden will fall to you. Even if no bugs or breakage materializes, this is a time-consuming process. And, if bugs do arise, their remediation, once provided, will restart this testing process. Quality GRC solutions today offer rich configuration options, and it’s best to explore and make the best fit possible using them, to assure you focus cyber risk program resources optimally to achieve program service delivery, and effective risk management.
If you do not currently use a GRC software platform, this may the opportunity to consider its benefits to support all of the needs addressed here, and begin the search for one. Risk management, and cyber risk in particular, have become increasingly complex matters to effectively identify, scope, mitigate and manage. The ability for most companies to organize and handle all the data and processes needed using paper, spreadsheets, and homegrown databases fall short of the features, facilities and sophistication, not to mention, ease of use, needed to achieve repeatable positive results. Your review may become a useful picklist for the key features most important to you as you begin to explore solutions for your company.
A Final Note
Taking the time for an honest self-appraisal of your cyber risk program is an important part of program delivery and planning. Seeking stakeholder input represents sound program governance. Reviewing goals, past and promised, together with achievements and opportunities builds the perspective you need to establish clear priorities aligned with your company’s mission and goals. It feeds many other planning processes for the coming year, and positions you actively for success and control while demonstrating clear guidance and leadership in this important aspect of risk management.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.