Solve risk and security challenges with improved executive communications
Risk and Security departments have a vulnerability, and no patch exists to address it. The weakness is the ability to communicate with executives, including senior management and the board, in a way that wins funding and additional resources.
The communications breakdown occurs due to a misalignment between your needs and what executives need. Your concerns matter to you, whether your department is IT risk, vendor risk, compliance, or audit. Meanwhile, executives have their own needs. They’re concerned about accomplishing goals and protecting the organization.
But what if you could better align communications with executive goals? At last week’s Blackhat Europe, Sam Abadir with Lockpath, a NAVEX Global Company, shared a proven approach taken by Risk and Security departments to justify programs, secure funding, and expand capabilities.
Alignment to Value matrix
The place to start improving executive communications is by creating an Alignment to Value matrix. Define risk objectives (compliance and risk management) on the X-axis. For the Y-axis, name financial objectives (cost effectiveness and strategic enablement). In the matrix space, create and name quadrants using terms familiar to your executives. For illustrative purposes, let’s use assurance, performance, compliance, and risk mitigation.
The purpose of the matrix is to put your department and executives on the same page, to show proper alignment for message delivery. Now plot your department’s tasks and goals in the quadrants. You’ll note that some reside in the quadrants of compliance and risk mitigation, but others land in assurance and performance. It can be an eye-opener because you see the organizational benefit of your department’s work.
Reframe your request
By leveraging the insights gained from the Alignment to Value matrix, you can reframe your request to executives in the context of your business executive.
Consider this example exchange:
Compliance needs to keep up with PCI changes, prepare for the QSA and pass the assessment. Don’t say this to the executive:
“We need to buy a GRC tool for $75,000 to deduplicate our vulnerability scanning data, or we might get a fine from PCI.”
Instead, say it in a way that benefits the organization first:
“To further our company’s Assurance objective, we propose creating a GRC program to enable more strategic, modern accounts receivable program and bring efficiencies to security management. We will need $90,000 for program development and resources.”
Here’s another example:
IT Security is proud of their work but need additional funding through a proof point. Instead of communicating the accomplishment:
“We have zero vulnerabilities.”
Reframe the message in a way that fits better in the context of the executive and the company’s goals:
“Our risk mitigation initiatives are on target, and we have a defensible plan to provide secure services to our customers.”
You can’t deliver on a benchmark of zero vulnerabilities. By rephrasing to “on target,” it communicates your efforts are working while a defensible plan is more executive speak. Articulating the value to customers resonates with executives concerned about customers and the bottom line.
It’s up to you
Abadir’s presentation showed you have needs, but so do executives. You’ll have better luck getting requests approved by following the insights gained from the matrix and aligning your messaging with executive goals.
Regardless of your department and needs, it’s up to you to make a compelling case to executives.
While the coronavirus has dominated news cycles, other notable events occurred around a number of new rules, regulations and guidance, from California’s data privacy regulation to NIST data privacy framework and SEC guidance on cybersecurity for financial service firms.
We see a trend that would unify compliance and risk management under the same umbrella and help address the new risk landscape. It’s a principled, ethical approach to governance. Good governance guides organizations to do the right thing.
UK banks must now comply with the Senior Managers and Certification Regime, known as SMCR. Learn SMCR’s major requirements, top challenges, and best practices for compliance.