Sr. Global Privacy and Cyber Security Risk Leader, Lockton Companies
Timothy develops long-range strategies directing clients how to optimize their data effectively and responsibly. He focuses on privacy compliance, data protection, and the use of or introduction to digital technology. He assists in identifying data privacy risks, operational risk, process improvement, and conducting data flow mapping exercises. Timothy conducts risk assessments and develop strategic solutions for managing those risks along with building incident response programs and plans to improve operational resiliency to a cyber or privacy event.
Over the past few months, we have engaged with numerous clients on their working from home solutions along with preparing to return to their office strategies.
A common topic of both scenarios has been, “How do we become a ‘better risk’?”
Our role is to assist and educate our clients and prospects on their risk exposures, the likelihood of those being exploited, and when they are, what will the impact be to their operations, finances, reputational, strategic, and regulatory risks.
Where do we begin?
To become a ‘better risk’, you must know what kind of current risk you are.
This begins your reflection assessment on where your organization currently is.
An initial starting point may be a review of your most current information or data risk assessment and begin reflecting on:
What were your most critical risks that were identified? What was the organization’s risk response to those critical risks?
Did you mitigate them within a set period or do those risks remain unaddressed? Perhaps you transferred the unacceptable levels of risk to a broad, best-in-class cyber liability insurance program.
How does our organization manage information risks? What information protection framework has been implemented to better protect us?
These reflecting questions will start the process of outlining what questions need answers to baseline your current risk level. Once that has been completed, you are able to project where you want to be as it relates to a ‘better risk’.
What do we do next?
Resources are plentiful to engage with to help your organization identify and reduce risks, but where do you start.
If our organization has not conducted and completed a current information risk assessment, you may be guided to conducting that first.
If asked, my initial questions for you to answer would be the following:
What does your information life cycle look like?
What is your critical information flow path look like?
Do you have that documented that depicts each information asset the critical information touches or traverses through?
What does your data classification policy look like?
When did your organization conduct its last data mapping exercise to ensure these are accurately depicted and protected?
Each organization is different; however, the same concepts apply. What information do you have? Where do you collect or create it? Where does it go (internally and externally)? Who has access to it? How is it protected? How long do we need to retain it? And, when do we need to destroy it?
Once an organization can answer those questions fully, will the strategy of becoming a ‘better risk’ become more likely.
Partnerships are critical in any successful business relationship. Leveraging experts to assist and focus on gaps and opportunity areas is not a simple process.
Outlining the accurate information above prioritizes what gaps and opportunities your organizations may consider focusing on within your overall ‘better risk’ strategy.
You have your current baseline. Check.
You have your information lifecycle and flow path documented. Check.
You have your information classification policy set. Check.
We now are ready to proactively prevent risks and losses from occurring.
A possible first step is to self-assess what and where your most critical risks reside and how well your current information security controls are working.
Your cyber carriers provide proactive loss services to help you conduct those self-assessments.
Now, correlating your initial, current risk level with your completed self-assessments will provide your organization with insight to where you are and drive the conversations of where you want to be as it relates to a ‘better risk’.
Your cyber carriers provide proactive loss services, such as security training and awareness programs, assisting in improving your risk posture within your workforce members, and other services, based on where you may need assistance.
Take into consideration all the proactive measures your organization is conducting and reassess your risk posture monthly, quarterly, and annually.
The results will showcase where you started, where you have been throughout the year, and where you are today.
The progress will tell your story and you will see that your organization is becoming a ‘better risk.’
For more information or guidance on these and other privacy or cybersecurity matters, please feel free to contact me directly at firstname.lastname@example.org