Building a Collaborative Risk Management Framework 

As new cyber regulations amass with similarities to privacy laws, cyber and privacy teams are asking how they can best align, be productive, and serve their organizations and constituents. 

In a special session of The Privacy Collective, our guest, Edna Conway, who recently moved out of her global multinational operating executive role as the VP Security and Risk Officer of Azure Hardware Systems at Infrastructure and Microsoft, discussed the overlap of cybersecurity and privacy regulations and how teams can work together to build a collaborative risk management framework.

A Collaborative Mindset

For organizations large and small, privacy operations and team structures can be inconsistent. Where at some organizations, privacy might report to a legal function and cyber reports into the DIO. Without a common structure, collaboration may seem like a challenge preventing alignment.

However, to Conway, viewing compliance as a technologist-lawyer helped her cultivate a constructive lens for legal overlap across departments. Conway’s cyber/privacy mindset blends a principle-based legal approach with the framework-oriented cybersecurity thinking that succeeds through collaboration. 

From this holistic perspective, compliance isn’t a check-the-box exercise that keeps an organization afloat, but rather a collaborative effort that helps shape operations and at the same time serves the greater community interest of oversight of information. 

Through this mindset, the interplay between privacy and security, a common ground for conversation, oversight, and accountability can help organizations compensate for the inevitability of a security or privacy incident and help develop principled policies.

Cybersecurity Risk Management Frameworks as a Model for Alignment

As commonly understood frameworks, NIST, ISO, and SOC II offer robust standards for organizations to build internal policies upon. For a small organization in need of a starting point, frameworks like NIST offer elasticity to adapt your policies and create something that works for your needs.

To write your own collaborative policies, you’ll need to identify a baseline of compliance. For many organizations, that means identifying: 

1. The location of your organizational data including IP, PI, and customer information
2. The applicable laws that govern data management across your teams and across all geographies 
3. The consequences of non-compliance with the applicable laws 

Leaning on NIST, write a high-level view of the particular policy you want to drive and let experts from your impacted teams help shape the framework while keeping the conversation central to responsible data stewardship. 

Next, equip your decision-makers with your definition of responsible data management, your definition of compliance obligations, and let them choose the most effective method for protecting data, your company, and your customers.

This individual accountability goes beyond policy and establishes a process for implementation.

While efficiency is key, your policies should never lose sight of the ultimate goal to be secure and resilient.

Building a Supply Chain Risk Management Framework & “We the Lasagna”

For Conway’s collaborative mindset, supply chain compliance is a combination of impactful perspectives. From an environmental perspective to responsibility, compliance, and security, she shared that by staying curious and being open to collaboration, you’ll always be surprised at what you can discover.

When the COVID pandemic opened peoples’ eyes to what the supply chain really was, “we stopped being a world of us and them, and we moved to a world of we,” says Conway, which changed the way organizations and suppliers worked together.

In this shift, partnerships became included in the security architecture that now includes physical, logistical, and even behavioral security practices. Together, these measures provide a comprehensive approach to operational resilience and achieving organizational compliance by including humans in the process.

For an organization using NIST as a risk management framework to develop policies, ask yourself, why would you ask the same things of every third party? Don’t you think it matters what it is that that third party is providing for you?

Like a lasagna recipe, Conway believes that building internal policies includes flexibility to make substitutions that best fit your needs.

The next question is, how important is that to your operations?

Depending on the complexity of the partnership, you may offer different levels of privacy and security, levels of access, or frequency of requests. From this framework you have a model to show third parties how to improve and a framework to help them do it.

[vc_column][vc_cta h2=”Trend Report: Cyber and Privacy Regulatory Convergence” add_button=”right” btn_title=”Read the Guide” btn_color=”success” btn_link=”url:https%3A%2F%2Fradarfirst.com/resources/cyber-privacy-regulatory-convergence-report%2F|title:Read the Guide%20Events|target:_blank”] What can security teams do to get ahead of new and upcoming cyber regulations? Read our report to learn the best practices from the privacy playbook. [/vc_cta]