Why it’s important to create a common language of cyber risk
All departments of an organization need to be on the same page where cybersecurity is concerned, and that will only happen if the terminology used is understood by all.
Things work better when everyone is on the same page, and that includes the ability to discuss a topic using language that imparts the same meaning to all.
SEE: Security incident response policy (TechRepublic Premium)
There’s a party game—Whisper Down the Lane, known in some places as Telephone or Gossip—that illustrates what happens when words and their meanings are misinterpreted. People are in a circle, and someone whispers a secret to the person next to them. That person passes the secret on to the person next to them and so on until it gets back to the first individual, and—more often than not—the secret is very different.
In party games, it’s funny, but in the world of cybersecurity, not interpreting a comment or document as intended by the originator can spell disaster. The 2020 Global Risk Study by PwC said that nearly 50% of respondents believe their risk, internal audit, compliance and cybersecurity departments are hampered by not formulating a common view of threats and the associated risk.
But what can be done to change this? Joseph Schorr, vice president of strategic alliances at LogicGate, offered thoughts via email. Schorr started by looking at the GRC and IRM space—programs often using technical language/vernacular, acronyms and jargon.
“When we work with business partners and stakeholders, it’s important to make sure we find a common language, so everyone understands the risk we’re communicating,” Schorr said. “For example, saying it’s likely there will be a data breach might mean 70% likely to some, 80% to another and yet 50% likely to someone else.”
Technology and processes are vital components when it comes to the language of risk. A risk matrix is often used during risk assessments to define the level of risk by considering probability and consequence severity. Schorr said risk matrices are a valuable tool used to help communicate between departments and companies. They would be even more helpful if the language used is understandable by all parties.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
“When you have a matrix accepted and used across the entire business, your organization now has a common point of reference for resource allocation and decision-making,” Schorr said. “Everyone using the same language shows investment across the board and a company-wide understanding of the organization’s risk and how that risk can be used to generate a strategic advantage.”
Creating a universal language of risk
At first glimpse, creating a universal language of risk seems impossible, and it likely is. That said, making the effort and moving closer to where everyone shares a common understanding is a big improvement and increases awareness. Schorr offers the following practices to help achieve it.
Agree on a taxonomy: In this situation, taxonomy is the identification or naming structure used to clearly understand risk assessment, monitoring, remediation and creating a common vocabulary.
The benefit of having a taxonomy or similar structure in place when collaborating with other departments creates a functional reference that allows thoughtful grouping and aggregated reporting. “Taxonomy shared organization-wide increases the effectiveness of reporting and decision-making,” Schorr said. “And standardized taxonomy facilitates comparisons across historical data, time periods, business units and regions.”
Establish an understandable rating system: The risk-rating system needs to go beyond simply low, medium and high, and include reference points that are understandable by all concerned parties.
Employ a consistent company-wide risk-response framework: This type of framework will guide the process of risk management. Schorr suggests including metrics that identify which risks are acceptable and highlighting actions that are required. Also, it is crucial to use the framework company-wide; doing so enables faster decision making and cultivates a risk-management culture.
Make the framework accessible: Anyone needing risk-management information should have easy access to it. “Risk-management systems/processes with the same taxonomy (risk language) ensure appropriate, systematic use of data collected company-wide,” Schorr said. “Technology incorporating and standardizing data across regions/business units drives efficient resource allocation, enabling better-informed decisions.”
Get buy-in from people at different levels of an organization: This is likely the most important practice of the bunch, especially getting buy-in from upper management. “After there were finally enough high-level breaches, Facebook hacks and attacks on POS systems, security and risk finally became a board-level concern,” Schorr said.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
He also suggested finding a champion—someone internal to the company, possibly a security architect or risk and compliance specialist—who will elevate the discussion and talk more about the business constraints and goals.
Benefits of a common language of risk
Schorr said he is a firm believer that incorporating standard definitions and translation tools into a risk-management platform (GRC or IRM) is in an organization’s best interest.
Standard definitions and translation tools:
- Allow the aggregation of individual risks into themes
- Provide consolidated risk scores from across the organization, which means additional data input into the organization’s processes
- Create a shared data repository that can be leveraged to track trends, predict new opportunities and identify areas of focus
Using terminology that everyone understands is not new and is not rocket science. What is new is employing this concept to manage risk with regard to cybersecurity—a complex and fast-changing field. It may not be perfect but moving the bar to where all are on the same page seems like a good place to start.