Like millions around the globe, I enjoyed watching the World Cup this summer. But over the course of the event, I often felt bad for the goalie. For long, long stretches of the game, no one would look his way or pay attention to what he was doing. Then, in the blink of an eye, a fast break would lead to perfectly timed kick, causing the crowd to roar. All eyes would then turn to the goalie, blaming him for the goal.
For too many companies, the dynamic I just described also applies to their approach to risk management. For months, no one asks or looks or seems to care about the processes and protocols that keep them secure. Yet suddenly, in the midst of a breach, something goes wrong, and everyone places blame on a few poor souls.
The best soccer squads, like the best companies, play as team. While the goalie serves an important role, the entire team must work together to react both offensively and defensively. This takes the pressure off the goalie and shifts the focus to the team.
Savvy companies are no different. They are acutely aware that their internal risk management team needs to be properly equipped. When risk managers are included in budgeting and long-range planning, their efforts are closely monitored, and the processes they implement are carried out across the company as part of the daily operations. This can protect the company from falling out of compliance, and it can even help prevent a breach.
That means if a risk manager sets a rule that email passwords must be updated every 30 days, the organization as a whole must act to enforce the rule. If management overrides that rule at the individual or department level, this undermines the efforts of the risk management team and corporate governance. It leaves the goalie alone, trying to defend the entire field.
Worse yet, these errors are often committed out of ignorance, not laziness. In most companies, the broad majority of the workforce simply does not see itself as being involved in compliance or security, nor do they understand the true implications of undermining the organization’s efforts to manage risks.
Risk management is a company-wide effort that is most successful with a team approach. While a group or an individual may hold the primary responsibility for managing risk, it’s critical to make compliance and security a part of the company’s culture and daily business operations. This requires that companies create a program that is proactively managed and has ongoing monitoring of controls and compliance issues. This offensive approach is far better than sitting back and expecting the goalie to keep the other team, in this case malicious hackers, from scoring.
By Greg Sparrow, VP of Operations, CompliancePoint Information Security Practice
Greg Sparrow brings over 10 years of experience in information security and risk management to CompliancePoint. Greg is responsible for the design, development and delivery of information security programs to the customer base.
Greg’s previous work experience includes application development (desktop and web), infrastructure design for high availability environments and secure systems design. He also has experience working with multiple banks on the evaluation and proper implementation of encryption and key management solutions within large organizations for compliance with federal banking standards.