We see a rapid shift in large enterprises towards thinking and communicating their posture in terms of risk. With the security operations center (SOC) overwhelmed with monitoring, responding, and defending the enterprise, the thought of increasing the SOC’s responsibility to measuring risk and communicating it to management doesn’t fit the current SOC model. We see a new, dedicated function arising, the risk operations center (ROC).
Why companies need a ROC
The massive shift to remote work during the pandemic created a change in the cybersecurity risk landscape. Situations, whether geopolitical, environmental, or other, bring a rise in unprecedented risks that require a proactive stance. The ROC manages these risks by continuously monitoring the risk posture of the enterprise. Unlike the SOC, which takes a more reactive approach to cybersecurity, the ROC encompasses cyber and IT with a focus purely on proactive risk management, working with the SOC to analyze risks of the past and improve mitigation. It’s supported by technologies such as artificial intelligence (AI) and machine learning (ML) to eliminate manual effort for compliance and risk assessments, as discussed in a recent Gartner report.
ROCs also focus on collaboration between technical and business stakeholders. The SOC cannot because those teams are in the weeds doing the work versus discussing the data. The ROC measures impact, likelihood, and tracks trending risks for discussion by the CISO, CIO, and other executive leadership members. Risk insights with a balance of quantitative and qualitative information are used for risk storytelling and communication, encouraging a cyber and risk-aware culture.
Executives are very good at making decisions based upon risk. However, cybersecurity risk still does not get communicated in business context, in simple terms that non-technical leadership can act on. As one of cybersecurity’s most legacy issues, we could look at this objective as a “nice-to-have” in prior times. However, in recent years, it’s become clear that this level of risk communication has become a “need-to-have” for any organization looking to compete in today’s business landscape, especially for organizations heavily reliant on digital products and services. Implementing a ROC supported by innovative technologies turns legacy IT government, risk and compliance (GRC) into an automated function, solving the typical objectives that legacy systems fail to meet: Ease of communication, elimination of manual effort, real-time risk management, thus saving organizations up to tens of millions per year and tracking return on sustainability investment (ROSI) all the while. Here are three ways companies can stand up a ROC:
- Get executive buy-in.
Gartner reports that by 2025, 40 percent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10 percent today. However, to achieve this ideal, multiple groups must collaborate. Having a function focused on measuring, managing, and communicating risk has become critical to supporting this trend. Still, to establish a ROC, groups from the CISO to the internal innovation teams need to engage. When we see organizations, especially the globally distributed enterprises, establishing this hub for cyber risk management in business context, the familiar stakeholders involved include the CISO group, the digital innovation and transformation teams, and the cyber risk teams.
Organizations often designate a lead champion for the project, usually, someone at the director level or analogous covering cybersecurity risk, who typically has experience implementing solutions and scaling internal automation projects for security and IT. This person will coordinate with all the groups to gather the CISO group’s requirements, direct the innovation team on where to focus their research and development, and get a budget approved by the executive team. Additionally, the IT GRC teams must get involved because many of the emerging technologies necessary for real-time risk management will touch their systems or replace some of that functionality, eliminating the manual effort needed to maintain it as well. We often see the request for a cyber risk function coming from the top of the organization - usually the board of directors and C-Suite. It’s an encouraging trend as more progressive organizations see the business value of measuring and getting visibility into cyber risk.
- Create a clear, data-driven reporting strategy.
Risk visualizations -- which are often both quantitative and qualitative – are essential to ground the discussion around risk exposure. Over time, understanding risk and its components are made much more intuitive through graphics that allow comparison, a quick analysis of financial exposures, and progress across different business units or management roles. Risk visuals are essential to get to the “big picture” on where the company’s cyber risk posture stands by business unit, functional area, domain, and even by ownership. We can also present the data by type of vulnerability, approach for remediation, and run comparisons. Graphics can simplify complexities and drive insights into trends and different scenarios central to mitigating risk.
Especially in today’s dynamic business environment, purely quantitative information presented strategically has a vital role. Still, when paired with qualitative information, there’s the opportunity for storytelling capabilities that help get everyone from the analyst level to the C-suite on-board. Inform all metrics by the most recent and fullest data set available, a consistent problem in security because the data always changes. If companies predicate risk analysis upon solid quantitative analysis, this adds assurance at the organization’s highest levels. It also puts the IT, risk, and compliance teams in the best position to make their case around resourcing and mitigation plans. Reports we recommend are risk heat maps, trend reports, and drill-downs into risk by financial impact, severity, and more views that executives can use to make decisions.
- Take a chance on emerging technologies.
Building a ROC allows for messaging and communication based on value generation and cybersecurity in business context. CISOs are encouraged to foster ongoing relationships with market-facing stakeholders that will influence their ability to become a trusted partner and value generator. The ROC will support this effort, prove its value to the business at large, and allow for business growth with security in mind.
Positioning the project and the groups involved as internal innovators. Being an innovator internally within an organization requires taking calculated risks. Innovations in AI and ML, for example, carry with them their own set of risks but can deliver enormous benefits when implemented correctly. Leveraging new technologies to automate many repetitive, manual tasks typically associated with compliance and risk management will help get the real-time view required to leverage a ROC to its fullest potential. Work with the analyst community and colleagues to evaluate new technologies and ask vendors where they have successfully implemented their solutions and how.
Case studies are an important evaluation criteria. What information do the vendors have that the security team can take to top management? This may include how much cost savings were delivered and in what time period? Look to new applications of technologies like AI and ML, and make sure the security team can develop a collaborative, transparent relationship with its partners of choice.
There are many positive benefits to establishing a ROC, from real-time risk analysis to a boost in business productivity and more informed risk-taking. However, one benefit reigns supreme: a unified strategy around risk. Getting everyone around the table involved in establishing a ROC and allowing the learning from that business function to inform strategy will encourage everyone to be on the same page when it comes to risk. What risks are we mitigating, avoiding, transferring? What risks are we ready to take? These discussions are of immense value and when informed by the outputs of the risk operations center, are a unifying force for any organization’s CISO, CIO, CRO, CEO and other leadership.
Padraic O’Reilly, co-founder and chief product officer, CyberSaint