Vendor risk management, data breaches, the board’s view of risk, COVID-19 — these are the risk management topics discussed around the videoconferencing water cooler in 2020.
Here are our top five ideas for risk management to implement.
1. Monitor change in your organization’s regulatory, internal and external environments
According to GRC 20/20’s Michael Rasmussen, change is the greatest challenge impacting GRC. Rasmussen says factors like new laws, court decisions, mergers, business relationships, geopolitical and economic forces often affect current and needed policies. It’s important to think outside of the box, look to the news, and ask yourself – does this affect my organization? Do we have policies in place for this?
Discover training courses and resources for policy management
2. Optimize your risk reporting for better dialogue with executive management
If you’re in the position of reporting on risk to the executive board, you’re vying for budget against a number of contenders. David Houlihan of Blue Hill Research offered tips to maximize your time in front of company leadership. He says the most important things to remember when reporting to the board on risk are the following:
- Match corporate standards for reporting
- Focus on business objectives, not a comprehensive review of performance
- Provide clear, simple overviews, but be prepared to provide drill-down on request
- Connect risk to business operations and financial impact
Following these four guidelines will help you craft a meaningful story that will capture the board’s attention, rather than lose it.
3. Know your third parties
Shared Assessments’ Tom Garrubba emphasized the importance of knowing who your third parties are and what they do, in light of breaches where cybercriminals got in through a third-party vendor. Garrubba provided the following questions for your organization to address:
- Who are your third-party service providers?
- What services do they provide?
- What data/ systems do they have access to?
Garrubba said third-party identification is where you should start to lay the groundwork for a third-party risk management program. Most companies do not maintain a current comprehensive list of vendors, so you’ll be ahead of the curve.
4. Manage the software supply chain to mitigate cyber risk
“Applications are the engine for innovation and the primary target for cyberattacks,” said Tim Jarrett, from Veracode. According to Jarrett, more than 50 percent of all cyberattacks target the application layer, yet fewer than 10% of enterprises test all of their business-critical applications. Risk from third-party software continues to grow, and regulatory agencies are paying attention. Is your company doing the same?
5. Build a cybersecurity awareness program
Security Engineer Gary Kretzer sheds light on implementing a security awareness program. Kretzer said there are three things to determine before beginning security training:
- Who do you want to target?
- What human behavior do you need to address? Clicking on emails? Visiting websites? Plugging in USB devices?
How will you present?
- Use topics with the greatest return on investment — phishing, malware, email, browsers, passwords, social media, etc.
- Focus on cyber threats in employees’ personal lives that translate into their experiences — mobile devices, BYOD, telework, remote access
An effective security awareness program will help mitigate the risk of insider threat.