Managing projects and cyber risk
Technology, processes, and people are the three key components of project management. They also happen to be the three key components driving organizational change. After all, aren’t projects all about managing change?
In my experience as a project manager and consultant, most organizations focus on technology and process when implementing change and do not spend enough time on the most important piece of the puzzle: people. The cultural change required to implement, adopt and sustain new technology, is the principal cause for poor investment ROI.
The major change affecting the cyber security industry is the transition from a compliance to a risk-based approach. Organizations have realized that compliance only provides a minimum level of security coverage and that a business-aligned risk management approached is needed to best protect an organization’s crown jewels. Security controls can no longer be applied flat across all the IT infrastructure. In short, organizations need to understand what matters most to their business and what risk mitigation initiatives are most effective in protecting them.
Facilitating the cultural shift in moving to quantitative risk assessments
RiskLens customers have embraced this change and are leveraging the standard FAIR quantitative risk model and the RiskLens platform to build business-aligned risk management programs. It is not uncommon for us to hear CISOs or Risk Officers expressing the need for a new way of thinking within their organization. As most of their risk team members have been involved for a long time with managing technology compliance checklists, they are left wondering what it will take to facilitate a cultural shift within their organization.
First of all, communicate why the shift is necessary – i.e., what’s not working now, and why it’s an important enough problem to endure the pain that comes with a culture change. In the risk management space, this boils down to:
Then, provide them with the necessary educational materials that will facilitate that cultural shift from a qualitative to a quantitative mentality. Here are some resources that our customers have found particularly effective:
In addition, creating an internal cadence for regular meetings to discuss FAIR, and organizing a FAIR book club, will create internal communication and discussions that will break through the inertia of old practices and make the quantitative language of risk the new standard within your organization.