Building a Collaborative Risk Management Framework 

As new cyber regulations amass with similarities to privacy laws, cyber and privacy teams are asking how they can best align, be productive, and serve their organizations and constituents. 

In a special session of The Privacy Collective, our guest, Edna Conway, who recently moved out of her global multinational operating executive role as the VP Security and Risk Officer of Azure Hardware Systems at Infrastructure and Microsoft, discussed the overlap of cybersecurity and privacy regulations and how teams can work together to build a collaborative risk management framework.

A Collaborative Mindset

For organizations large and small, privacy operations and team structures can be inconsistent. Where at some organizations, privacy might report to a legal function and cyber reports into the DIO. Without a common structure, collaboration may seem like a challenge preventing alignment.

“I think you always need members of your legal organization to set the stage, but those of us particularly who work in security often are aware of the fact that compliance is not the goal. The goal is to ensure security and resilience.”

However, to Conway, viewing compliance as a technologist-lawyer helped her cultivate a constructive lens for legal overlap across departments. Conway’s cyber/privacy mindset blends a principle-based legal approach with the framework-oriented cybersecurity thinking that succeeds through collaboration. 

From this holistic perspective, compliance isn’t a check-the-box exercise that keeps an organization afloat, but rather a collaborative effort that helps shape operations and at the same time serves the greater community interest of oversight of information. 

“The goal is actually delivering the security and privacy, your policies, and your requirements as a good corporate citizen.”

Through this mindset, the interplay between privacy and security, a common ground for conversation, oversight, and accountability can help organizations compensate for the inevitability of a security or privacy incident and help develop principled policies.

Cybersecurity Risk Management Frameworks as a Model for Alignment

As commonly understood frameworks, NIST, ISO, and SOC II offer robust standards for organizations to build internal policies upon. For a small organization in need of a starting point, frameworks like NIST offer elasticity to adapt your policies and create something that works for your needs.

To write your own collaborative policies, you’ll need to identify a baseline of compliance. For many organizations, that means identifying: 

1. The location of your organizational data including IP, PI, and customer information
2. The applicable laws that govern data management across your teams and across all geographies 
3. The consequences of non-compliance with the applicable laws 

Leaning on NIST, write a high-level view of the particular policy you want to drive and let experts from your impacted teams help shape the framework while keeping the conversation central to responsible data stewardship. 

Next, equip your decision-makers with your definition of responsible data management, your definition of compliance obligations, and let them choose the most effective method for protecting data, your company, and your customers.

“Now you become part of the very fabric of the business instead of telling them what to do and how to do it.”

This individual accountability goes beyond policy and establishes a process for implementation.

While efficiency is key, your policies should never lose sight of the ultimate goal to be secure and resilient.

Building a Supply Chain Risk Management Framework & “We the Lasagna”

For Conway’s collaborative mindset, supply chain compliance is a combination of impactful perspectives. From an environmental perspective to responsibility, compliance, and security, she shared that by staying curious and being open to collaboration, you’ll always be surprised at what you can discover.

When the COVID pandemic opened peoples’ eyes to what the supply chain really was, “we stopped being a world of us and them, and we moved to a world of we,” says Conway, which changed the way organizations and suppliers worked together.

“With flexibility, I have the ability to build something that is elastic, flexible, and lives in the world of we, but doesn’t impose on others in that community, things that are irrelevant to them or less important. And then on top of all of this, on top of the lasagna, is a risk-based model.”

In this shift, partnerships became included in the security architecture that now includes physical, logistical, and even behavioral security practices. Together, these measures provide a comprehensive approach to operational resilience and achieving organizational compliance by including humans in the process.

For an organization using NIST as a risk management framework to develop policies, ask yourself, why would you ask the same things of every third party? Don’t you think it matters what it is that that third party is providing for you?

“Taking that all the way back to the observation that the goal is not compliance, the goal is privacy and security. That’s the lasagna.”

Like a lasagna recipe, Conway believes that building internal policies includes flexibility to make substitutions that best fit your needs.

The next question is, how important is that to your operations?

Depending on the complexity of the partnership, you may offer different levels of privacy and security, levels of access, or frequency of requests. From this framework you have a model to show third parties how to improve and a framework to help them do it.