Why a Risk Register Helps a CISO Communicate to the Board [11:46]

In this latest edition of An Insider’s Look At Security and Compliance hosted by Evan Schuman, Edgile’s Brian Rizman explains that in order to get board level budget buy-ins, CISOs need to first define the more strategic “whys” behind specific risk mitigation initiatives before focusing on the more technical and product oriented “whats” and “hows.” An accurate and dynamic risk register is critical as it ties back to risk mandates and help guide the “why” when lobbying for security funding.

Key Points

  • Keeping an accurate and updated risk register can help justify security budget requests.
  • An outdated or inaccurate risk register can give senior management a reason to cut security spending because the true risks aren’t apparent.
  • Edgile’s iGRC content library subscription service brings laws, regulations and risk frameworks into a common reporting and measuring mechanism that’s understandable and functional across the enterprise.
  • iGRC is a relatively small investment considering it lays the risk register foundations that drive security development and deployment.
  • CISOs need to be part of the conversations around how planned organizational changes may affect future risks.
  • As CISOs get more board level air time, they need to employ business-focused language that ties back to business value so management can support proper security funding.
  • Don’t wait for a big breach before taking strategic actions that identify critical risks.

About the speaker

An experienced leader, Brian Rizman has been helping clients through complex technology, strategy and compliance challenges and opportunities for nearly twelve years. His most recent experience was in PwC’s Process, Risk, Controls, Security and Governance national practice, where he was responsible for leading the competency, team, solution strategy, client relationships and sales in the Southern California region.

About the host

Evan Schuman has tracked security and compliance for enterprise IT audiences since the late 1980s, having served as a columnist for Computerworld, eWEEK and CBSNews.com. He has also run editorial operations for IT media outlets tracking payments, retail and general technology issues. Evan lectures on security and compliance topics at Columbia University and New York University graduate schools and moderates webcasts for MIT Sloan Management and VentureBeat.

Other ways to listen