Risk Management Requires Relationship Managment

At Pythia, we believe that relationship management is risk management.

All business endeavors involve risk; most of the time, there is no reward without risk. Because there never is no risk, a prudent manager needs to manage risk.

Risk management is an entire domain in any field of business. It spans a continuum: sometimes the risk manager is part of the leadership team, and sometimes risk management is a ‘box-check’ activity subsumed under “continuity of operations” (COOP) plans in Human Resources.

Cybersecurity involves identifying and mitigating risk; see our posts about the NIST framework here. All organizations that connect devices to the Internet have a degree of cybersecurity risk. Thus, any organization of any size that connects to the Internet has a cybersecurity risk. How it manages that risk is the ‘business’ of all managers in the enterprise.

There are two ways organizations can manage risk. One is to conduct internal benchmarking by comparing practices across business units. For example, maybe one unit requires a swipe of an identification badge for systems access while others do not. A second approach is to have a matrixed task force, possibly led by a CISO, identify best practices internally and then build up common standards across the enterprise.

Both the internal benchmarking and the matrixed teaming approaches manage some the risks of cybersecurity, but maybe not the same risks. The benchmarking approach is highly effective as a strategic alignment approach but may identify practices that are not transferable across units. The task force approach is effective to create common cybersecurity standards that are consistent with the organization’s culture -- i.e. it’s what we can all agree to -- but minimum standards may not be effective in mission critical areas.

Relationships across business units and their management teams in both the internal benchmarking and the matrixed teaming approaches are the key to managing cybersecurity risks. Cooperation and communication across business units create common understanding of why cybersecurity is everyone’s business. Alignment of cybersecurity practices can then be understood as risk management. Commitment to the alignment of cybersecurity expectations through common standards, continual monitoring, and constant upgrading is not either/or, it’s the way forward.

We have a short video on this topic on our YouTube channel.