Skip to main content

Risk Transformation: Bridging Assessment and Execution

November 07, 2019

Risk transformation is a critically important concern, but it can be difficult to bridge the gap between assessment and implementation. Many organizations have been audited and assessed, often multiple times (with respect to security footing, data privacy, maturity and gaps relating to appropriate regulations [PCI, GDPR, CCPA, HIPAA, etc.] and frameworks [NIST, ISO, etc.). But they have difficulty remediating the most pressing findings because their assessors/vendors are routinely incapable of explaining how to fix the problems they’ve identified.

Even when multiple reports highlight the same issues, the accompanying recommendations – which typically take the form of a roadmap driven by the assessor’s opinion, rank ordered by risk ratings dictated by whichever framework is being used – are frequently too high-level to be actionable. The result is customers left feeling they have to “boil the ocean” to realize even short-term results (or worse, they’re left feeling that the duration of any program is prohibitive).

Why is this the case? For starters, organizations are often hampered by internal and strategic leadership issues. Consensus and buy-in can be hard to come by, especially in places that still regard cybersecurity as a sunk cost/technical function. In this environment CISOs can have difficulty articulating and demonstrating the business value of security and prioritizing the initiatives promising the greatest impact. And operationally, there can be lack of clarity on the dependencies required to implement and execute changes.

A truly strategic risk transformation program helps solve these issues by providing a systematic approach to defining and planning implementation.

Such an integrated approach leads to:

  • Normalization of assessment data to better link findings to specific initiatives within the organization
  • Development of initiative designs tailored to the customer's security architecture
  • Budget prioritization that helps move the needle in the short term, including identification of quick wins
  • Understanding and mapping of critical dependencies and success factors
  • Stronger internal communications articulating the initiative, its benefits to the organization and a description of how each audience can achieve consensus and buy-in on project initiatives
  • Better project management in execution of specific initiatives from design to testing to implementation/operationalization
  • Overarching program management to deliver a set of initiatives from both a time and budget perspective
  • Continuous improvements through iterative feedback of the successes and issues of a program is deployed to streamline execution and drive program trajectory

The goal of cybersecurity integration is to help clients design programs and optimize processes and technologies that drive risk remediation insight upward into the organization’s business strategy and executional and operational expertise downward.

In other words, risk transformation isn’t a one-and-done. It’s continuous, iterative and programmatic.

    Gregory Thompson

By: Gregory Thompson

Senior Manager – Risk Management and Transformation

See More

Related Blogs

October 16, 2019

2019 Cyber Threat Intelligence Estimate: Security Must Be Strategic

The 2019 CTIE shows security practitioners must be familiar with their environments and global trends.

See Details

December 13, 2017

Cyber Threat Intelligence Requires Commitment

It’s been said that in a breakfast of bacon and eggs, the chicken is involved but the pig is committed. This saying is relevant when implementing a cy...

See Details

July 24, 2019

Closing the People, Processes and Technology Gap: How Innovation Can Strengthen Your Cybersecurity Program

Learn how to achieve the right combination of people, processes and technology to evolve your cybersecurity program.

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.