We’ve previously discussed the importance of risk management, and the challenges that come from approaching risk through large-scale frameworks. According to an abstract framework, many organizations aren’t necessarily equipped to mobilize far-ranging risk assessments.
Here, we’ll discuss a compromise to combine the best of both worlds: standards-based risk management.
What is the Difference Between a Risk and Cybersecurity?
When organizations like the National Institute for Standards and Technology (NIST) start promoting risk assessment as a priority, they are addressing a shift in how compliance and security are addressed across enterprises associated with government agencies (or private enterprises) should they adopt recommendations).
Traditionally, compliance involved teams of internal (or external) experts and external (or internal) auditors assessing the existing processes, technologies and software to measure them against existing compliance standards. This is relatively simple–if a given regulation calls for specific security measures and the organization does not implement them, they are not in compliance.
Compliance management, then, became a practice of monitoring regulations and solutions that would adhere to those regulations. The organization would allocate resources to obtain and implement those solutions as needed.
This approach assumes a few things. First, that cybersecurity is reducible to a collection of security controls. However, as we’ve seen in recent years, even seemingly secure systems can become targets of attack due to unexpected vulnerabilities or attack vectors that come with service provider integrations.
Second, it assumes that a series of security controls can meet every organization’s specific needs and challenges that adopt them, no matter the industry.
Many regulatory bodies recognize the limitation of this approach, and some, like NIST, are moving to more risk-oriented models. This, as we’ve covered previously, can come with its own problem, namely that:
- Risk management can become excessively complex for under prepared enterprises.
- Risk management frameworks can prove too abstract to implement effectively.
- Risk management can assume too much expertise on the part of the organization, which can distance them from understanding their actual requirements.
The push to assume organizations use risk to move into understanding their cybersecurity positioning is a good one. Still, it requires some compromise between a more abstract risk management framework that purposely remains standard-agnostic and one grounded in a standards-based approach to assessing risk.
Approaching Compliance-Based Risk Management
The bottom line is that a risk management strategy should lead you to an effective compliance strategy, and if it doesn’t, it isn’t helping your organization properly manage cybersecurity.
However, moving from risk to compliance can prove tricky for a few reasons:
- Bridging the Knowledge Gap: If your enterprise isn’t knowledgeable about risk management strategies or how to implement them, it can be difficult to fully understand what it means to translate risk against actual control implementation.
- Understanding Risk Tolerance: Risk tolerance is the position your organization takes concerning the levels of cybersecurity risks that your organization may take. For example, while a security requirement may call for a specific type of control, it may not define specific levels of complexity, leaving the organization to make decisions based on their needs. This puts the enterprise in a position where they must weigh their business priorities, compliance priorities and obligations to their customers or clients and find the right balance for the company.
- Maintaining Real-Time Compliance: Threats, regulations and technologies change rapidly, and it’s understood that enterprises will be able to respond to those changes as needed. Without a firm grasp on how changes in any of these categories affect the company, you can’t clearly understand where your vulnerable or non-compliant sectors might be.
Compliance by itself doesn’t translate into real operational value, but digging into the weeds of risk management won’t help you completely understand the nuts and bolts of your compliance requirements. That’s why approach risk with an eye toward your compliance framework as the foundation.
What Are the Benefits of Grounding Risk Management in Compliance?
A standards-based approach to risk management can help your organization navigate some complexities of both compliance and risk management by addressing some specific challenges of both disciplines.
Some benefits include the following:
- Providing Clarity Regarding Risk Profile: Using security regulations with a clear picture of what’s expected of your organization can help ground risk assessment in something more understandable and readily scannable. While any compliance regulation isn’t the end-all-be-all of risk management, it can help keep initial risk assessment efforts manageable.
- Supporting Iterative Integration and Scalability: By starting with a compliance baseline, you can better understand how to integrate other company systems and business priorities into your overall risk strategy and then scale out your efforts to encompass them while avoiding data silos.
- Converting Compliance Regulations to Business Value: If you’re working with government agencies or other security-minded companies, compliance is only the starting point of your IT relationship. Almost any trusted partner will be expected to implement security and confidentiality systems that potentially exceed baseline compliance levels. Risk assessment can help you extend your security to address different partnerships and vendor relationships adequately.
The accepted approach to compliance (using risk management to inform comprehensive security strategies) can be reversed by using compliance to provide scaffolding for risk assessments.
Approach Compliance and Risk Management With Lazarus Alliance
Our approach to compliance and risk is, first and foremost, about making sure that both work for your company. We have decades of experience helping companies in the public and private sectors manage their security obligations and risk assessments in ways that speak to their unique needs.
To help integrate compliance standards as a part of the risk management process, Lazarus Alliance uses the Continuum GRC ITAMs platform to help create visualizations of risk as an extension of actual, understandable regulations and compliance standards. This cloud-based platform connects your team with all the information they need to drive productive and scalable risk and security strategies.
Are You Ready to Take the Next Steps in Your Risk and Compliance Journey?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.