One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.
GRC: Be Connected! – Risk Management
9 February 2021 – Cyber Security Coalition
GRC: Be Connected! about risk management
Zero risk is not of this world, particularly in the world of IT. So risk management is a must, though also quite a challenge. The second webinar in the GRC: Be Connected! series – an initiative of the Cyber Security Coalition (CSC), ISACA Belgium and the Solvay Brussels School of Economics & Management – bears once again down on a very practical ‘point of view’ related to this hot topic.
Peter Debasse, Group CISO KBC Group & chair of the CSC Governance Risk Compliance (GRC) focus group, kicked off the seminar with a broad overview of all aspects pertaining to risk management. Starting with ‘why risk management’, the reasons range from the growing attack danger to imperative regulations. He also identifies the numerous internal stakeholders in a company, including the active lines of defence (up to board level), with a need of monitoring at all levels. The scope of risk management must map the risk onto the control universe, structured by means of standards and frameworks down to hands on controls. The process starts from the context, through identification of risks, analysis and action, to monitoring. This also includes risk/maturity assessment (how to reach the target) and compliance checks (be prepared). Complex? Indeed, it is a collection of interconnected processes. Companies will strive to digitize risk management, starting from the initial phase of acquiring fundamental skills and tools, with qualitative outcome. Later, aspects can be automated, requiring additional automation skills, and keeping a grip on the quality of data from multiple sources. Ultimately, the digitalization of risk management can result in a real-time analysis of aggregated data, supported by data science skills with a predictive outcome. Clearly, people will appreciate a helping hand while going through all the phases, so Peter Debasse welcomes new members in the GRC focus group.
Dina Quraishi, Risk Management Leader, followed up on this overview by drilling down on specific building blocks of risk management. She illustrated the interconnectedness of all these blocks with the neat metaphor of the interplay of musicians and specialists in an orchestra. Getting the essentials right implies understanding the importance of the context of every company, and adapting risk management to the specific constraints of a specific company. Beware of tools if you don’t understand their output, and do communicate with other stakeholders. Interesting tip for risk managers: apply risk assessment to your own processes, to check whether a particular approach makes sense. Go for standards (don’t re-invent the wheel), but do adapt them to your company. Discuss risk appetite and risk tolerance (two different aspects!). Provide for continuous improvement, as situations will change.
Of crucial importance is the attention you pay to your team, whether this is small or large. Create a community within the company, and look for outside cooperation. Balance inside expertise with fresh views from newcomers.
The skillful Chief Risk Officer (CRO) combines professional expertise with communicative skills to other groups in the company, including executive and board level, and defends both instant and long term ROI of risk management. And the CRO knows how to time new measures and approaches.
Having acquired the necessary skills is fine, but proving you have the skills is better. Arnold Meyers, Information Risk Manager Argenta & Certification Director ISACA Belgium, pointed out the added value of certifications for teams because of more effectiveness through more structured expertise, and for individuals through better job retention and improved personal marketability. He provided information about two ISACA certifications: Certified in Risk and Information Systems Control (CRISC) and Certificate IT Risk Fundamentals. How to study for these certificates (e.g. ISACA Belgium boot camps), prepare for the exam, and apply for the certification. A final plus: you join a worldwide community of 158,000+ experts, of which 900+ are Belgian colleagues.
Other blog posts
This session of the Privacy Focus Group provides a valuable and practical primer for acquiring more insight in the issue of international data transfers after Schrems II and Brexit.
The webinar teaches you that information security must be handled in a structured way. Three Coalition members explain how frameworks such as CISM, NIST and ISO 27001 certification can support you in your role as CISO.
Audits strengthen business operations, yet many organizations are fearful of the process, rather than seeing the benefits of audits. In this webinar, you get better insights in the auditing process and how you can use audits to strenghten and mature your overall risk programme.
This webinar focuses on the context of information security through governance, more particularly on the key role of the CISO and the value of COBIT as a digital governance framework for information security activities supported by the presentation of a best practice.