It isn’t surprising that a quantitative risk management program (QRMP) more easily succeeds when driven from the top. When I look at my successful customers, effective leadership at the C-level is typically the key. In terms of a quantitative risk management program, this is typically the CISO.
What does “leadership” mean? In other words, what actions and behaviors are needed to improve the probability of success of implementing a quantitative risk management program? Let’s focus on some key differentiators.
Leanne Scott is a Customer Success Executive with RiskLens
Conviction is “the ability to convey that one is firmly convinced of what one believes or says.” The CISOs most successful in implementing a QRMP have conviction. They aren’t going to “try” quantitative risk and “see if people are receptive to it”, they are going to implement a quantitative risk management program and report their top risks to the board quantitatively by a date certain. It’s a statement, not a question. These CISOs know where they want to go, and they know how to make it happen. (See #4 Champion Change).
An objective is “an idea of the future or desired result that a person or a group of people envision, plan and commit to achieve.” Envision, plan and commit to achieve - a lot to unpack, so let’s just talk about having an objective that is in your realm of control to achieve. In other words, the primary resources are directly within your domain. You are the decision maker when questions arise. You can open doors for the team when requests for collaboration meet with resistance.
A CISO’s initial objective is included in a charter statement. The objective is typically to improve visibility into technology risks for a board or executive committee, or to inform his/her own decisions on security projects using cost benefit analyses. Whatever your objective is, write it down, communicate it and live it… with conviction!
While the CISO and his actions and behavior are key, hiring or assigning the right team is also very important. Technical and critical thinking skills aside, the lead(s) need to be able to see the vision, believe in it, and break it down into actionable tasks. They need the ability to create relationships across departments and help the team cross barriers as they arise. The strongest leads and teams embrace the project just as much as the CISO, and they can talk to its purpose, its benefits and its outcomes just as well. As a good start, train your team. Show your commitment by making that initial investment in your people.
Championing change is leading the charge, rallying the troops, and forging the path. If this is truly change you, the CISO, wants to see succeed, if you have conviction, you need to stay actively involved and out in front until the quantification program is adopted by the organization. Don’t stop selling the vision, communicating the plans, supporting the team, and building internal support every day. Your mantra needs to be the compelling reason this work is important and a priority. Change requires persistence, vocalization and keeping everyone’s eye on the prize.
You are the CISO. You’ve decided to implement a quantitative technology risk program. It will be targeted towards a defined end. Your team is motivated to perform. You will stay engaged. You will lead the charge. Add these differentiators to your plan, and you will succeed.