What Kind of Glasses Are You Wearing? Your View of Risk May Be Your Biggest Risk of All

Meghan Maneval
Author: Meghan Maneval, CISM, CRISC, Vice President of Product Strategy and Evangelism at RiskOptics
Date Published: 31 January 2023

The beginning of a new year is the perfect time to reflect on the past year and assess any industry trends or upcoming events that could impact organizations. This can include evaluating the threat landscape, reviewing risk posture or crafting a plan to better protect the enterprise in the future. It is no secret that 2022 was marred by ransomware, data breaches, and exploitations, leaving boards of directors (BoDs) and organizational leaders asking, “Are we doing enough to protect ourselves?” 

What Kind of Glasses Are You Wearing?

Risk and security professionals need to be prepared to respond to tough questions. But all too often, communication of risk is focused on how an organization is being protected rather than how well it is being protected. This is largely due to the type of metaphorical glasses being worn within the organization.

Rose-Colored Glasses
For anyone unfamiliar with the expression, someone who is said to be wearing rose-colored glasses perceives events in an optimistic but potentially naive manner. Rose-colored glasses are generally worn by risk professionals who focus on compliance and the achievement of certifications. Their focus is on passing an audit. When this is achieved, it is conveyed to stakeholders that the organization has satisfactory controls in place, and everyone celebrates a job well done.

Painting this rosy picture projects the illusion that compliance equals security and that the enterprise has no sources of risk to worry about. However, just because controls are effective, it does not mean that the organization’s risk has been sufficiently reduced. Wearing rose-colored glasses misleads organizational leaders to believe that everything is fine. But this means that if an incident occurs, they could be caught off guard and blame their risk team for the perceived lapse.

Painting this rosy picture projects the illusion that compliance equals security and that the enterprise has no sources of risk to worry about.

Blinders
Wearing blinders is similar to wearing rose-colored glasses. However, in this case, it is the organizational leaders who wear them. Despite best efforts to communicate the context and need for investments in security and risk reduction, decision makers might ignore or devalue such initiatives. From their standpoint, as long as the organization can pass an external audit or obtain a compliance certification, they are satisfied. Those wearing blinders often do not see or understand the need to expand or invest in security.

Magnifying Lenses
In contrast to the lack of scrutiny described in the previous examples, those using magnifying lenses often overanalyze security and risk information. They research incidents that have taken place at other organizations in hopes that understanding the high-level details on security and risk reduction activities will be enough to prevent their enterprise from becoming the next media headline. While this level of scrutiny is not necessarily bad, it is not always healthy. Organizational leaders use magnifying lenses when they lack confidence that their organization is protected. They are hyper-focused on the details of nonconformance, risk treatment plans, and the latest threats and vulnerabilities because they do not understand what is being done to reduce risk at their organization.

Communication Breakdowns Lead to Mistrust

In a 2021 study, 77% of respondents noted that they saw an “increase in the number of disruptive attacks, such as ransomware, over the last 12 months.”1 But another study captured that “just 9% of boards declared themselves extremely confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major cyber-attacks.”2 This discrepancy is largely due to how risk professionals communicate with organizational leaders.

While compliance-focused metrics can be valuable, they do not always provide stakeholders with sufficient, meaningful or actionable data. Audit reports are derived from point-in-time assessments that are outdated almost as soon as they are reported. Further, in many cases, control sample testing is done, which ignores the likelihood of nonconformities occurring elsewhere within the population. And all too often, audit reports are provided to stakeholders without context, background or explanations of how the results impact the enterprise. The result is unprepared organizational leadership with a false sense of security and no urgency to invest in security. That leaves organizations highly susceptible to attack.

While compliance-focused metrics can be valuable, they do not always provide stakeholders with sufficient, meaningful or actionable data.

In contrast, risk professionals must collaborate with organizational leaders to understand enterprise goals and objectives and communicate risk. Adjusting metrics and communication to highlight the risk to the organization rather than the result of an audit provides contextual data and ensures that stakeholders can make informed decisions.

Put On Your Risk-Colored Glasses

In 2023, it is time for a new pair of glasses. Organizations must shift from a compliance-focused approach to a more comprehensive risk program that aligns compliance, cybersecurity and risk management activities with business goals and objectives. When one focuses on organizational objectives and takes the time to understand the desired strategic outcomes, one can assess all factors that impact those objectives, automate assessments to determine if risk is being sufficiently reduced in relation to objectives and tailor risk reduction activities to accelerate business. With this approach, the organization is no longer conducting assessments for the sake of obtaining a certification, it is using the information captured from control assessments to recommend risk reduction activities in support of business objectives. 

Those who wear risk-colored glasses collaborate with organizational leaders to understand strategic objectives and identify critical assets and processes that must be secured to achieve those objectives. Rather than merely focusing on meeting compliance requirements, the focus is on assessing and mitigating the risk to the business. 

What Do Risk-Colored Glasses Show?

Consider an organization that is focusing on increasing revenue by expanding outbound sales in new territories in the European market. A compliance-focused organization might conduct an internal assessment of EU General Data Protection Regulation (GDPR) requirements, determine if there are current controls in place to meet them and report metrics indicating the organization is compliant.

However, a risk-focused enterprise begins by assessing the unique threats within the region and determining the risk factors that could prevent the organization from conducting sales in Europe. For example, supporting a growing customer base could result in a greater demand for resources and elevate the risk of a business disruption. This could lead to reputational damage and/or cancelled contracts and prevent the organization from achieving success in Europe. To reduce this risk, the organization could deploy redundant infrastructure in the European Union and utilize local utility providers to support highly available and more fault-tolerant services for their customers. Although this initiative may not be required to be compliant with GDPR, investing in the implementation of this control would reduce the risk of lost revenue in the future and enable the organization to meet its objective.

Those wearing risk-colored glasses help their organizational leaders make decisions based on the potential impact on business objectives and priorities. This allows risk professionals to report realistic data in the context of the business. But they also utilize these glasses when approaching compliance. As noted, there is high risk associated with relying on annual audits for security assurance. Instead of relying on point-in-time audits with limited sample sizes, those wearing risk-colored glasses focus on automating evidence collection and control assessments. This enables full population testing to be conducted continuously throughout the year. And given the inverse relationship between control efficacy and residual risk, automating these activities allows risk professionals to utilize the compliance activities they are already doing to create an always-on risk management program.

Wearing risk-colored glasses empowers risk professionals to proactively monitor and communicate risk in a context their organization will understand. Viewing business outcomes from this perspective enables organizational leadership to prioritize investments and agree on a suitable level of protection. Thus, they are provided the relevant information they need to make decisions and answer the question “How well are we protected?”

Author’s Note

Suggested follow-up readings:

Endnotes

1 EY, Global Information Security Study 2021, United Kingdom, 2021
2 EY, Global Board Risk Study, United Kingdom, 2021

Editor’s Note

Hear more about what the author has to say on this topic by listening to the “What Kind of Glasses Are You Wearing? Your View of Risk May Be Your Biggest Risk of All” episode of the ISACA® Podcast.

Meghan Maneval, CISM, CRISC

Is director of technical product management at Reciprocity. She is a passionate governance, risk and compliance (GRC) evangelist, Defense Industrial Base Sector (DIBS) champion, and acronym enthusiast with more than 15 years of experience supporting audit, governance, security, risk, and compliance activities in highly regulated markets. Maneval specializes in process improvement and program iteration to resolve issues, drive innovation and gain efficiencies. She currently leads the technical product management team at Reciprocity, Inc. building the future of risk management solutions.