This article first appeared in the CIO Applications Magazine here
“Let’s not forget that it’s you and me vs. the problem…NOT you vs. me.”
Cybersecurity risk assessments are performed when new business opportunities are identified or to visualize risk around critical assets and processes, among other reasons. As a security leader or the assessment leader, the goal should be to support the organization and provide recommendations for leadership and stakeholders to make educated risk-based decisions, so the assessing team is seen as a trusted partner that delivers value instead of a team that slows the organization down. The assessments are also a great opportunity for your team to engage in business conversations with product owners and stakeholders around risk management, not security controls. It is also a forum for you and your team to build relationships and collaborate.
Here are some suggestions for leading and facilitating risk assessments that will help you (and your team) become a trusted partner:
Once your assessment and all artifacts are completed, issue your recommendation to the assessment participants, which are listed below. Make sure that the team agrees that these are all options.
Once you have an agreement and a recommendation, bring the assessing team together to deliver it to product owners and stakeholders. This is yet, another opportunity for collaboration and relationship building for your team. When delivering the recommendation, let the product owner take the lead and state the opportunity at hand and even start the conversation about risk identified in the best consumable form to your culture (i.e., slides, spreadsheet, etc.). It is important that you communicate all options explored for mitigation, including pros, cons, costs, and resources. The assessment leader should partner with the product owner in a supporting role by adding details or clarification as needed. Another way to do this is to get together and define the role of each team member in the delivery of the results. Finally, it is important that all participants have an opportunity to opine and then close out the delivery by asking the stakeholders to decide on how to treat the risk presented.
Be prepared for some negotiations, compromise, and agree on certain areas that may or may not be part of the recommendation. It is important that leaders are objective and keep an open mind while encouraging everyone involved to do the same to deliver a business solution that adds value to the organization. Nobody in that meeting should make things personal; help all the involved parties understand that sometimes difficult decisions need to be made for the best interest of the business. This is important because many security folks get frustrated when their recommendations are not followed, or risk is accepted. Still, again, your goal is to lead a conversation and decision that weighs opportunity vs. risk, not “issue vs. security”. Likewise, the product owners and stakeholders could get frustrated if the security team is not willing to negotiate. Remember, you are trying to build a partnership.
Approaching your risk assessments objectively, collaboratively, and open-mindedly will lead to more educated decision-making, ultimately translating into value delivered by the security team; better relationships across the business; trusted partnerships; and credibility for the program.