Steve Ryan, attest services manager and head of healthcare services at BARR Advisory, recently joined Larry Kinkaid, cybersecurity consulting manager at BARR, for an in-depth discussion on how to position your risk management program as a source of real value for your organization.
During their talk, the pair broke down the basics of building a pragmatic risk management program and explained how practical, tailored security controls can effectively bridge the gap between security and compliance.
“Why are we doing risk assessments? Spoiler alert: It’s typically compliance-driven—and that’s the reason why it feels like it’s checking the box,” said Kinkaid, noting that frameworks like ISO 27001 are rooted in robust risk assessments. But for organizations aiming to effectively manage risk, achieving compliance is only one piece of the puzzle.
“Security does not equal compliance, and vice versa, compliance does not equal security,” Ryan said. “However, both of them together do equal trust for your key stakeholders.”
The pair said standards like SOC 2, ISO 27001, and HITRUST provide organizations with a “guiding beacon” to help them map out actionable plans for data security.
“Compliance is the language to boast or brag about your security program,” Kinkaid said. “Now, you’re speaking a common language.”
Ryan and Kinkaid also explored strategies for securing cross-functional cybersecurity buy-in. For a risk management program to be sustainable, team members across your organization must understand the importance of data security and why they’re implementing certain controls, Ryan said. He recommends curating a security committee that includes representatives from all departments in order to improve communication, streamline decision-making, and ensure your risk management strategies are aligned with your business goals.
Kinkaid said that when you open up conversations about risk management to include leaders throughout the organization, security teams are empowered to “work with the business as opposed to being the ‘department of no.’”
Establishing a security committee can also help organizations define accountability to empower effective risk management. “If everyone’s accountable, no one’s accountable. That’s why establishing that committee is so important,” Kinkaid said.
Ryan added: “From an auditor’s perspective, if you don’t have that security committee, you’re already behind the eight ball a little bit, because you’re doing that risk assessment from a really siloed approach.”
To hear their full conversation, access the webinar now on-demand.
Our experts can help you build a culture of security that spans your entire organization. Contact us today to find out how.