Are you talking about Risk with your customers?
Every organisation has to make difficult decisions around how much time and money they spend securing their technology; and using risk management techniques to inform and improve on the actions we take to protect day-to-day services and operations.
Here are some common risk management starting points, used by the Marathon Professional Services team, that could help your customer to improve the decisions they are making about cyber security and increase your share of their overall IT budget, at the same time.
Where to start
To be effective, risk needs to be clear enough to be understood by different audiences. Too complicated and it can have a negative impact on operations; too simple and you’ll see over-confidence and a tick-box approach that could fall short of protecting what’s important to the business.
The bottom line is that we need to be prepared before we start the conversation and understand where the customer is in their attitude to risk, along with their experience of managing it.
Is Risk Management dull?
It might not seem that exciting, but managing risk has a dynamic part to play in improving the business decisions that are made every day. We can’t completely remove risk for our customers, because we can’t predict what may happen in the future, but we can analyse their options and help them to make informed choices on the potential consequences.
Get the Basics right
One of the many myths, (and the basis of customer objections), around risk management is that it’s all about being compliant. Compliance and Security may overlap, but simply meeting a standard for security, and believing you have understood and managed a risk, can mask some very weak security practices. Getting the basics right is a good starting point to take with your customer and this involves the following:-
Get a baseline: If they do nothing else, customers should adopt a recognised baseline of security controls, such as those defined in Cyber Essentials. It’s important to understand what your customer cares most about protecting and why, as attackers use a scatter-gun approach and don’t often know, (or care), about who they are targeting… until they get a foothold in your system.
Understand the techniques: Component driven, (bottom-up), or System driven, (top-down), techniques for managing risk, approach the project from differing perspectives- Should the customer look at each part of the network, (the components), to evaluate the risk of compromise; or look at the overall network, (the system), for a high-level view of risk? Both have benefits but have to be viewed in context of the baseline set by the customer, to be validated as appropriate.
Like any project, it’s important to be aware of the pitfalls of managing risk.
Security risk has to be balanced with other types of risk in the business. For example, make a password process too complicated for a customer to login to their account and you risk losing them to competition. Again, the need to involve different audiences will be critical for your customer and the success of your project.
Whilst we are on the subject of competitors, don’t look too closely at what others are doing to protect themselves. It might be useful to keep an eye on how others have solved a specific problem, but your customer will need a unique solution.
In our experience, you have to approach risk like any other project- Be wary of the technology claims and myths surrounding security and techniques. Trust us, we haven’t found a silver bullet yet, but successful projects always involve a well-structured approach and strong project management skills.
Talk to the team on 020 8329 1000 for more information about our approach to risk management and how we can help you to start the conversation with your customers.