A Better Framework for Risk Management Decision-Making

Security leaders find themselves in an unusual position these days. Many of us came up from the technology world, yet we increasingly interact with business leaders as they seek to address various types of risk: legal, financial, reputational and operational. Historically, technology and business groups have approached risk from different perspectives, which creates challenges that can hamper decision-making about risk management. 

Often, business and technology groups speak different languages and view risk differently. This disconnect isn’t new, but the growing complexity of IT and business can exacerbate the divide. Cultural issues can also be a factor, along with the large number of decision-makers who may be involved. For instance, developers are now part of security processes. Finance and legal departments are focused on liability issues and regulatory fines. Another department may monitor compliance with privacy laws. 

Whatever the reason, when organizations lack effective processes for addressing risk, groups may spiral off in different directions and fail to manage risk effectively.

Fortunately, technology and business leaders are partnering more frequently in risk management efforts. They’re asking important questions, such as:

• Do we agree about what risk is? 
• Do we agree about where our environments are the most threatened? 
• Are we collectively making better decisions about how to address these threats?

One strategy that can simplify and improve decision-making is to break these conversations down to three levels: executive, strategic and tactical.

At the executive level, people make decisions about the business overall. They may not be executives per se, but they make decisions that affect broad, businesswide risk factors. The strategic level ensures these decisions are working — and if they aren’t, decision-makers should consider ways to improve them or how to adjust processes and workflows to accomplish what the executive level wants to achieve. The tactical level is operational: those who fix problems and get the work done.

Approaching risk this way helps to narrow the complexity of the work; not only what each group is saying, but also how they’re saying it and which metrics and reporting structures they’ll use. For instance, this approach may yield questions such as:

• How does the strategic level tend to look at information? 
• How will the tactical team interpret specific points?

Building a reporting structure that aligns with the needs of each group makes it easier for those groups to make better decisions.

Consider a situation in which an IT leader reports to an organization’s executive leadership that the IT team found 25,000 vulnerabilities over the previous month and fixed 10,000 of them. Is 25,000 bad? Is fixing 10,000 good? Most likely, the executives lack the context to interpret this information. 

Under the framework I suggest here, the operational level would need to determine the scope of the work to understand the size of the task, as well as the tools and team members needed to address it. The strategic level would be concerned with questions such as:

• Is the operational team patching the right areas? 
• Are their efforts moving fast enough? 
• Is the process working? 
• How can we optimize the process?

The strategic level may include sales teams, because they interact directly with prospects and are likely to be aware of process-related risks. For example, they may note that the organization’s nondisclosure agreements aren’t sufficiently protective. Conversations with sales leaders can focus on problems flagged by that team and strategies for improvement.

The executive team doesn’t need to know that there are 25,000 vulnerabilities, nor whether the process is on point or the tools are correct. The executives need to know whether the organization is safe. So, the reporting they receive might consist of simplified aggregate numbers or trend lines against industry standards.

It’s important to distill data in a way that is useful for each level. The data may be based on the same numbers, but it should be presented in a context that makes it relevant for each group and can inform the decisions they need to make. This three-level approach is about rethinking the way an organization communicates: Instead of having a dozen conversations, stakeholders should focus on three. That’s a better framework for re-engineering the organization in terms of metrics and reporting alignment.

There’s a lingering perception that security is an IT function, but the ramifications of security go far beyond technology. Approaching risk management from the executive, strategic and operational levels helps organizations think about risk more effectively and make better decisions about managing it.

Story by Nathan Wenzler, the chief security strategist for Tenable.