Business moves at a hectic pace. To remain competitive, business units are quick to launch new services, engage in partnerships, and introduce new technologies for internal and client use. Though necessary for success, these changes also represent a series of potential risks that the security team struggles to understand, evaluate, and act on with short notice.
As the pace quickens, how can security possibly keep up to provide effective risk management? The key is visualization. Done properly, this allows security to understand where to focus, and even better, it allows the business a voice in the process to ensure that the right information and systems are protected.
It Starts by Stepping Back to Get the Big Picture
Place emphasis on introducing the importance of visualization and guiding people through the process. Use available skills and tools to bring people together and physically illustrate the process from idea to production (or whatever is appropriate). This seemingly simple and often overlooked exercise allows people to actually “see” how things work.
Visualization quickly surfaces important outcomes that are necessary for successful risk management as well as governance and the ability to demonstrate compliance. Introducing and guiding people through the visualization process has three chief benefits:
- Bringing People Together Through Pictures
Bring people together to start the process. Select as small a group as seems necessary—additional people are often consulted or added as the process unfolds. Often, it’s the first time a blended team has come together to actually consider the steps and sequence of the process.
Appoint someone to scribe the process on the board. This provides the visual anchor for people to see what’s happening. Simple works better. Generally, this means boxes, arrows, and words. Sometimes it includes question marks or the like. Big whiteboards and conference rooms with coffee help.
Start by asking to walk through the business sequence. Let people take the time to describe the steps they follow; those narratives provide the insights to inform proper risk management. It also holds the clues for measurement and evidence necessary for governance and compliance. Don’t be surprised if the first pass produces a clearly inefficient monster. The result is the ability to actually partner on producing a better way—a way that works for everyone, protects what matters, allows the right level of managing risk, provides governance (in context), and demonstrates compliance.
- Improving the Business
The business doesn’t always have a complete understanding of the complexity of their own processes. Just like security, each business unit has a series of high-pressure deadlines, outcomes, and specific ways their performance is measured. The company depends on them for success.
By stepping back to guide business colleagues through the visualization exercise, they gain a keen and important insight into how they do their work. It creates a rare and needed opportunity to talk about which parts are essential to their success.
The visual map allows the business to clearly see where their risks are. In their context. And it gives them the structure to talk about the real risks and work with the security team to explore and implement the proper controls necessary for protecting what matters while still driving the results necessary for success.
- Improving Risk Management
This is the opportunity: security and business gain the same insight into the actual risk of the business. Bringing the right people together to visualize and map the business process creates a mutual understanding of risks and the appropriate actions to take.
Seeing the process clearly through to the outcome allows everyone to focus on the same goal. That means security is able to provide effective risk management while the business develops a different perspective about the value of security. The more accurate and complete the picture, the more effective, and efficient, risk management and governance are. The same picture makes it easier to demonstrate compliance to others by showing them precisely how things work.
Expanded Field of View
Most people in security roles, including GRC, focus on their own field of view. While natural, it means that key areas for managing risk are left unseen and unprotected. It introduces inefficiencies in the governance and compliance processes.
Visualization is an important step to expand the field of view (for everyone). Working together to capture the process improves mutual understanding and ensures people focus on the right steps to reach the goal. This allows security to help increase the value of the business while also helping the business appreciate the role security plays—in the context of their own efforts.