Jun 23, 2021
Measuring What Matters: Aligning Risk Measurement With Corporate Goals and Objectives
Risk is everywhere, but focusing on your organization’s main objectives reduces the clutterBy Jonathan Freinberg, Manager, Governance, Risk & Compliance, Tanium
If you ask most IT security experts, risk is everywhere. There’s risk in unpatched endpoints, new malware variants, phishing attacks, shadow IT cloud services, laptops left on park benches — the list goes on.
At least once or twice a year, your company’s risk management team will be asked to measure and report the risk across your organization in a way that’s meaningful to the executive team and board.
With so many technical details contributing to risk, your team might wonder how to approach this important and wide-ranging work. Your company’s security team should already be tracking malware variants and determining which systems need new patches. But are those the numbers your executive team and your board of directors care about? If those numbers bob up and down from quarter to quarter, is your team doing a good job? If you think so, will the board think so, too?
Instead, the real question is: How do you measure risk in ways that can help your organization’s leaders? Or, to put it another way: How do you measure risk so that your organization’s leaders can first understand what’s relevant about risk and then make the right decisions to reduce it?
In this post, I share best practices for measuring risk in ways that are meaningful to the top. That’s where we’re going to start — at the top of the organization, and the objectives that your organization’s leaders have decided are most pressing.
Measuring the risks that matter to your leaders
Let’s set aside risk for a moment and talk instead about the work of the executive team and board of directors. They’re responsible for setting your organization’s strategic direction. That includes ensuring that decisions and investments at lower levels of management support your company’s high-level strategy.
No matter what business you’re in, these high-level objectives will almost certainly include:
- Business continuity
- Data confidentiality, integrity and availability (data CIA)
- Regulatory compliance
Let’s consider each in turn.
Measuring risk associated with business continuity
Business continuity means keeping the lights on, keeping employees productive, keeping manufacturing and shipping operations (if relevant) humming along, and ensuring that any other types of operation — whether that’s pumping oil or delivering a SaaS product —continues working, no matter what.
This category includes disaster recovery. It also includes ensuring that business-critical IT services have enough capacity to support all users, including employees, customers and partners.
Business continuity also means these services can withstand security threats such as DDoS attacks, and that misconfigurations or other IT management errors will never shut out employees from the applications and IT resources they need.
Measuring risk associated with data confidentiality, integrity and availability
In every industry, people recognize the importance of data — it’s the “new oil” of the digital economy — as well as the urgency to protect it. Organizations have always taken some measures to keep data confidential and ensure that it’s available only to authorized users.
But the challenge of keeping data secure has increased. For one, sensitive data is now being accessed from more locations than ever before. That’s due, in part, to the Work-from-Home (WFH) workforce, which increasingly uses bring-your-own-devices (BYOD) rather than laptops and desktops tested and provisioned by their IT department.
The security status of these endpoints is difficult to monitor because the security tools most organizations use were designed to work primarily with endpoints on a local network.
Also, companies are relying strategically on data in new ways. That includes creating new products and services by combining internal and external data. This is reflected in the rise of a new executive team member, the Chief Data Officer (CDO), attesting to the growing importance of data to organizational direction and financial standing.
One way or another, every organization in every industry will need to ensure data confidentiality, integrity and availability (or as it’s known in some IT circles, “data CIA”).
Measuring risk associated with regulatory compliance
But there are other regulations, too, and they cover everything from financial reporting to racial discrimination. They’re regulations no organization can afford to violate. Noncompliance can result in hefty fines, contract cancellations, and bad publicity that lasts for years.
For example, one UK study found that the cumulative losses resulting from a regulatory penalty equaled nine times the regulatory fine itself. Few companies would knowingly take on that size risk.
To measure compliance risk effectively, you’ll need to know which regulations matter to your organization. Then you’ll need to track the IT assets and processes that can help determine whether your company complies.
Framing risk with strategic objectives
To get the attention of your organization’s leaders, frame your discussion of risk and risk measurements in terms of their top strategic objectives.
After all, it’s their job to ensure your organization achieves its core objectives around business continuity, data privacy and regulatory compliance. Of course, they might lead the company to achieve other objectives, too, such as annual sales growth or the company culture.
And when these leaders meet, it’s these objectives they’re thinking about. That’s why it’s so important that you frame your IT risks in the context of the organization’s strategy.
I began this post by noting that risk is everywhere. But if you focus on your organization’s strategic objectives, you won’t need to spend time cataloging every possible IT security or compliance metric. Instead, you can focus on measuring metrics that reflect any risk to your company achieving its highest-level objectives.
In future blog posts in this series, Tanium risk experts will go into more detail about how to measure risk and report it to your company’s leadership.
For now, though, you can breathe a sigh of relief. You don’t need to build a vast collection of spreadsheets that track every possible security and compliance metric from all your IT systems and operational processes.
Instead, when measuring risk, now you’ve got a prioritized list of objectives to start from. You still have work to do, but now it’s focused. And your reports are more likely to be understood by the leaders setting your organization’s course.
Learn more about how Tanium can help you enhance data visibility and reduce risk.