Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating the impact of the draft NIS.2 directive proposal on their current security posture. The presentation of Mr. Pieter Byttebier (Centre for Cyber Security Belgium) is a very good start for this exercise.
GRC: Be Connected! – Risk Management
9 February 2021 – Cyber Security Coalition
GRC: Be Connected! about risk management
Zero risk is not of this world, particularly in the world of IT. So risk management is a must, though also quite a challenge. The second webinar in the GRC: Be Connected! series – an initiative of the Cyber Security Coalition (CSC), ISACA Belgium and the Solvay Brussels School of Economics & Management – bears once again down on a very practical ‘point of view’ related to this hot topic.
Peter Debasse, Group CISO KBC Group & chair of the CSC Governance Risk Compliance (GRC) focus group, kicked off the seminar with a broad overview of all aspects pertaining to risk management. Starting with ‘why risk management’, the reasons range from the growing attack danger to imperative regulations. He also identifies the numerous internal stakeholders in a company, including the active lines of defence (up to board level), with a need of monitoring at all levels. The scope of risk management must map the risk onto the control universe, structured by means of standards and frameworks down to hands on controls. The process starts from the context, through identification of risks, analysis and action, to monitoring. This also includes risk/maturity assessment (how to reach the target) and compliance checks (be prepared). Complex? Indeed, it is a collection of interconnected processes. Companies will strive to digitize risk management, starting from the initial phase of acquiring fundamental skills and tools, with qualitative outcome. Later, aspects can be automated, requiring additional automation skills, and keeping a grip on the quality of data from multiple sources. Ultimately, the digitalization of risk management can result in a real-time analysis of aggregated data, supported by data science skills with a predictive outcome. Clearly, people will appreciate a helping hand while going through all the phases, so Peter Debasse welcomes new members in the GRC focus group.
Dina Quraishi, Risk Management Leader, followed up on this overview by drilling down on specific building blocks of risk management. She illustrated the interconnectedness of all these blocks with the neat metaphor of the interplay of musicians and specialists in an orchestra. Getting the essentials right implies understanding the importance of the context of every company, and adapting risk management to the specific constraints of a specific company. Beware of tools if you don’t understand their output, and do communicate with other stakeholders. Interesting tip for risk managers: apply risk assessment to your own processes, to check whether a particular approach makes sense. Go for standards (don’t re-invent the wheel), but do adapt them to your company. Discuss risk appetite and risk tolerance (two different aspects!). Provide for continuous improvement, as situations will change.
Of crucial importance is the attention you pay to your team, whether this is small or large. Create a community within the company, and look for outside cooperation. Balance inside expertise with fresh views from newcomers.
The skillful Chief Risk Officer (CRO) combines professional expertise with communicative skills to other groups in the company, including executive and board level, and defends both instant and long term ROI of risk management. And the CRO knows how to time new measures and approaches.
Having acquired the necessary skills is fine, but proving you have the skills is better. Arnold Meyers, Information Risk Manager Argenta & Certification Director ISACA Belgium, pointed out the added value of certifications for teams because of more effectiveness through more structured expertise, and for individuals through better job retention and improved personal marketability. He provided information about two ISACA certifications: Certified in Risk and Information Systems Control (CRISC) and Certificate IT Risk Fundamentals. How to study for these certificates (e.g. ISACA Belgium boot camps), prepare for the exam, and apply for the certification. A final plus: you join a worldwide community of 158,000+ experts, of which 900+ are Belgian colleagues.
Other blog posts
The GOVERN&LAW experts share the do's and don'ts when setting up a whistleblowing system in your organization and demonstrate how such an effective and robust system can help you self-detect incidents before they become scandals.
In this GDPR anniversary webinar, three privacy experts focus on the challenges they face when assessing and implementing government measures adopted in the fight against COVID19. The Corona pandemic has risen awareness of the importance of privacy, not only in our private life but also in the employer-employee relationship, and the need for a broader democratic testing of privacy threatening technologies.
One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.
This session of the Privacy Focus Group provides a valuable and practical primer for acquiring more insight in the issue of international data transfers after Schrems II and Brexit.