Why it’s important to create a common language for cyber risk

All departments in your organization must be on the same page where cybersecurity is involved. This only happens if the terms used are understood by everyone.

Image: iStockphoto / anyaberkut

Things work well when everyone is on the same page. This includes the ability to discuss topics using a language that gives everyone the same meaning.

look: Security Incident Response Policy (TechRepublic Premium)

There is a party game. WhisperDowntheLane is known as Phone and Gossip. This shows what happens when a word and its meaning are misinterpreted. People are in a circle and someone whispers a secret to their neighbor. That person gives the secret to the next person until he returns to the first person. In many cases, the secrets are very different.

It’s fun in party games, but in the cybersecurity world, it can be catastrophic if the caller doesn’t interpret the comments and documents as intended. NS 2020 Global Risk Survey According to PwC, nearly 50% of respondents believe that risk, internal audit, compliance and cybersecurity are hampered by not developing a common view of threats and their associated risks. ..

But what can we do to change this? Joseph Schorr, Vice President of Strategic Alliances at LogicGate, said in an email. Schorr GRC and IRM Space — Programs that often use technical languages ​​/ vernaculars, acronyms, and jargon.

“When we work with our business partners and stakeholders, it’s important to find a common language so that everyone can understand the risks we’re communicating,” Schorr said. I am. “For example, if you say that data breaches are more likely to occur, 70% can occur to another person, 80% to another person, and 50% to another person.”

Technology and processes are important factors in that regard. Language of risk.. NS Risk matrix Often used during risk assessment to define the level of risk in consideration of probability and severity of outcome. Schorr said the risk matrix is ​​a valuable tool used to support communication between departments and businesses. It’s even more helpful if the language used is understandable to everyone involved.

look: How to Manage Passwords: Best Practices and Security Tips (Free PDF) (TechRepublic)

“As the matrix is ​​accepted and used throughout the business, organizations will have a common reference point for resource allocation and decision making,” Schorr said. “Everyone who speaks the same language has a company-wide understanding of the investment of the entire organization, the risks of the organization, and how to use those risks to create a strategic advantage.”

Creating a universal language of risk

At first glance, it seems impossible to create a universal language of risk, but it is probably. However, working hard and getting closer to a place where everyone shares a common understanding is a big improvement and raises awareness. Schorr offers the following practices to achieve that:

agree Classification method: In this situation, the taxonomy is an identification or naming structure used to clearly understand risk assessment, monitoring, repair, and the creation of a common vocabulary.

The advantage of setting a classification or similar structure when working with other departments is to create functional references that allow for thoughtful grouping and aggregated reporting. “Sharing the taxonomy across the organization makes reporting and decision-making more effective,” Schorr said. “Standardized taxonomy also facilitates comparisons between historical data, time periods, business units, and regions.”

Establish an easy-to-understand evaluation system. The risk assessment system should include reference points that are understandable to all parties, beyond just low, medium, and high.

Adopt a consistent company-wide risk response framework. This type of framework guides the risk management process. Schorr suggests highlighting the necessary actions, including indicators that identify acceptable risks. It is also important to use the framework company-wide. Doing so will enable faster decision making and foster a culture of risk management.

Make the framework accessible. Anyone who needs risk management information should have easy access. “The same taxonomy (risk language) risk management system / process enables the proper and systematic use of data collected company-wide,” Schorr said. “Technologies that embed and standardize data across regions / business units facilitate efficient resource allocation and enable more informed decision making.”

Get support from people at different levels of your organization. This is probably the most important practice of the bunch, especially with the support of senior management. “In the end, after a high enough level of breaches, Facebook hacks and attacks on point-of-sale systems, security and risk ultimately became a board-level concern,” Schorr said. ..

look: Ransomware Attack: Why SMEs Pay $ 150,000 Ransom (TechRepublic)

He also suggested finding a champion (perhaps a security architect or risk and compliance specialist) who would raise the debate and talk more about business constraints and goals.

Benefits of a common risk language

Schorr said he firmly believes that incorporating standard definition and translation tools into a risk management platform (GRC or IRM) is in the best interests of the organization.

Standard definition and translation tools:

  • Allow individual risks to be aggregated into themes
  • Provides an integrated risk score from across the organization. This means additional data entry into your organization’s processes.
  • Create a shared data repository that you can use to track trends, anticipate new opportunities, and identify key areas

Using terms that everyone understands is neither new nor rocket science. What’s new is to adopt this concept to manage risks associated with cybersecurity, a complex and rapidly changing area. It may not be perfect, but it seems good to start by moving the bar to a location where everything is on the same page.

See also Why it’s important to create a common language for cyber risk

Back to top button