ThoughtWorks
  • Contact
  • Español
  • Português
  • Deutsch
  • 中文
Go to overview
  • Engineering Culture, Delivery Mindset

    Embrace a modern approach to software development and deliver value faster

    Intelligence-Driven Decision Making

    Leverage your data assets to unlock new sources of value

  • Frictionless Operating Model

    Improve your organization's ability to respond to change

    Platform Strategy

    Create adaptable technology platforms that move with your business strategy

  • Experience Design and Product Capability

    Rapidly design, deliver and evolve exceptional products and experiences

    Partnerships

    Leveraging our network of trusted partners to amplify the outcomes we deliver for our clients

Go to overview
  • Automotive
  • Cleantech, Energy and Utilities
  • Financial Services and Insurance
  • Healthcare
  • Media and Publishing
  • Not-for-profit
  • Public Sector
  • Retail and E-commerce
  • Travel and Transport
Go to overview

Featured

  • Technology

    An in-depth exploration of enterprise technology and engineering excellence

  • Business

    Keep up to date with the latest business and industry insights for digital leaders

  • Culture

    The place for career-building content and tips, and our view on social justice and inclusivity

Digital Publications and Tools

  • Technology Radar

    An opinionated guide to technology frontiers

  • Perspectives

    A publication for digital leaders

  • Digital Fluency Model

    A model for prioritizing the digital capabilities needed to navigate uncertainty

  • Decoder

    The business execs' A-Z guide to technology

All Insights

  • Articles

    Expert insights to help your business grow

  • Blogs

    Personal perspectives from ThoughtWorkers around the globe

  • Books

    Explore our extensive library

  • Podcasts

    Captivating conversations on the latest in business and tech

Go to overview
  • Application process

    What to expect as you interview with us

  • Grads and career changers

    Start your tech career on the right foot

  • Search jobs

    Find open positions in your region

  • Stay connected

    Sign up for our monthly newsletter

Go to overview
  • Conferences and Events
  • Diversity and Inclusion
  • News
  • Open Source
  • Our Leaders
  • Social Change
  • Español
  • Português
  • Deutsch
  • 中文
ThoughtWorksMenu
  • Close   ✕
  • What we do
  • Who we work with
  • Insights
  • Careers
  • About
  • Contact
  • Back
  • Close   ✕
  • Go to overview
  • Engineering Culture, Delivery Mindset

    Embrace a modern approach to software development and deliver value faster

  • Experience Design and Product Capability

    Rapidly design, deliver and evolve exceptional products and experiences

  • Frictionless Operating Model

    Improve your organization's ability to respond to change

  • Intelligence-Driven Decision Making

    Leverage your data assets to unlock new sources of value

  • Partnerships

    Leveraging our network of trusted partners to amplify the outcomes we deliver for our clients

  • Platform Strategy

    Create adaptable technology platforms that move with your business strategy

  • Back
  • Close   ✕
  • Go to overview
  • Automotive
  • Cleantech, Energy and Utilities
  • Financial Services and Insurance
  • Healthcare
  • Media and Publishing
  • Not-for-profit
  • Public Sector
  • Retail and E-commerce
  • Travel and Transport
  • Back
  • Close   ✕
  • Go to overview
  • Featured

  • Technology

    An in-depth exploration of enterprise technology and engineering excellence

  • Business

    Keep up to date with the latest business and industry insights for digital leaders

  • Culture

    The place for career-building content and tips, and our view on social justice and inclusivity

  • Digital Publications and Tools

  • Technology Radar

    An opinionated guide to technology frontiers

  • Perspectives

    A publication for digital leaders

  • Digital Fluency Model

    A model for prioritizing the digital capabilities needed to navigate uncertainty

  • Decoder

    The business execs' A-Z guide to technology

  • All Insights

  • Articles

    Expert insights to help your business grow

  • Blogs

    Personal perspectives from ThoughtWorkers around the globe

  • Books

    Explore our extensive library

  • Podcasts

    Captivating conversations on the latest in business and tech

  • Back
  • Close   ✕
  • Go to overview
  • Application process

    What to expect as you interview with us

  • Grads and career changers

    Start your tech career on the right foot

  • Search jobs

    Find open positions in your region

  • Stay connected

    Sign up for our monthly newsletter

  • Back
  • Close   ✕
  • Go to overview
  • Conferences and Events
  • Diversity and Inclusion
  • News
  • Open Source
  • Our Leaders
  • Social Change
Blogs
Select a topic
View all topicsClose
Technology 
Agile Project Management Cloud Continuous Delivery  Data Science & Engineering Defending the Free Internet Evolutionary Architecture Experience Design IoT Languages, Tools & Frameworks Legacy Modernization Machine Learning & Artificial Intelligence Microservices Platforms Security Software Testing Technology Strategy 
Business 
Financial Services Global Health Innovation Retail  Transformation 
Careers 
Career Hacks Diversity & Inclusion Social Change 
Blogs

Topics

Choose a topic
  • Technology
    Technology
  • Technology Overview
  • Agile Project Management
  • Cloud
  • Continuous Delivery
  • Data Science & Engineering
  • Defending the Free Internet
  • Evolutionary Architecture
  • Experience Design
  • IoT
  • Languages, Tools & Frameworks
  • Legacy Modernization
  • Machine Learning & Artificial Intelligence
  • Microservices
  • Platforms
  • Security
  • Software Testing
  • Technology Strategy
  • Business
    Business
  • Business Overview
  • Financial Services
  • Global Health
  • Innovation
  • Retail
  • Transformation
  • Careers
    Careers
  • Careers Overview
  • Career Hacks
  • Diversity & Inclusion
  • Social Change
TransformationSecurityBusinessTechnology

Opening up risk management: Always on, everybody’s business

Jim Gumbley Jim Gumbley

Published: Nov 8, 2019

Just as cyber-related threats have emerged as a top concern of companies globally, senior executives are losing confidence in their ability to assess, prevent and respond to them. In a way, this is understandable. Technology is a constantly moving target, and every effort to bring a new product or service to customers inevitably creates new risks. 

Marsh/Microsoft Cyber Risk Perception Survey


How can business leaders turn things around? We first need to accept that in this environment, the traditional approach to cyber risk management - tasking specialists to build and maintain huge documents, while software teams press on in a bubble - is no longer fit for purpose. Risk has to be addressed collectively and dynamically - that is, by everyone from the board down and, rather than after a product is built or a crisis erupts, on a constant basis.



From what I’ve seen in my work with clients, some organisations are already taking steps in this direction. But often, even when business leaders tell teams to build security into everything they do, it’s still sacrificed for a compelling new feature, or faster speed to market. This struggle where the strategy is set but the tactics aren’t working is, in my experience, often the result of a few common issues. Here’s a brief checklist on how to avoid them.

1. Balance risk - and recognise value
Even the most basic security practices and activities will take second priority to delivery unless their value is understood. Security will have little traction unless inherent risk - that is, the natural risk if all controls and protections were to fail - has been understood. Importantly, rather than an obstacle, risk needs to be measured in terms of its business value, just like any other development initiative or enterprise asset. 

That means assessing what avoiding failure is ‘worth’ to the company, whether in terms of financials or other measurable positive outcomes. Recognising that steps to balance risk have real value makes it hard to trade away for the sake of speed or convenience. And it helps create a business case to justify the investment needed to embed security into a product from the outset. It also underlines to everyone, from the executive leadership to product developers, the connection between risk and business priorities.

2. Strive for ‘just enough’
Since eliminating risk isn’t realistic, enterprises should be aiming for a state of balance where the burden of inherent risk is roughly equivalent to investment in safeguards: the time, effort and/or resources required for risk control and protection.

Drilling down to identify specific key loss events and analysing their magnitude, frequency and likelihood enables the enterprise to zero in on the specific activities and needs required to prevent these scenarios and establish clear investment priorities. By making this information clear and comprehensible, and ensuring it’s articulated throughout the organisation, business leaders can create a de facto risk management ‘code’ that captures key areas of focus and provides a clear foundation for future risk management decisions.

Measuring and Managing Information Risk: A FAIR Approach IT risk job skills


Of course, identifying and valuing risk isn’t an exact science. Companies may have various formal or mathematical frameworks to guide the process, but it’s also important to remember that we all have a basic understanding of risk. We all make risk-based decisions all the time in our daily lives. That means human discernment can, and should, play a role - and in general, the more people and perspectives are involved, the better. Which brings us to the next point.

3. Make risk management a team effort
Any organisation with a risk management division that sits in a silo very likely has a tunnel-vision. Just as technology increasingly cuts across functions, risk needs to be perceived and addressed as a collective responsibility. When the enterprise sets out to identify and measure risk, virtually every stakeholder with a say in the needs and objectives of the business should be represented. This means delivery teams, who have to understand the risk (and value) of what they’re building, but also legal and compliance, who could identify stakeholder needs that have not been addressed, as well as the finance teams who may need to sign off on risk management investments. It even includes customer-facing teams with vital insight into how products are used in the field.

Consistently communicating risk information to teams throughout the enterprise should be seen as part of the risk management role. If a quantitative model or threat assessment shows storing certain data can put customers in danger, or increase risk exposure to a third party, it’s vital that this knowledge makes its way to developers rather than remaining buried in a little-viewed monthly report. Executive teams may not be involved in product testing or all security conversations - but they do have a vital role in providing input, flagging these conversations as important, and coordinating across functional silos to make sure everyone is participating. As with most strategic initiatives, the tone is frequently set from the top.

4. When it comes to security, don’t ever stop
Digital business is defined by a continuous approach to development where products are consistently improved based on data analysis and end-user feedback - and that calls for a similar approach to security.

Once inherent risk has been understood, investments have been made and the secure delivery lifecycle is a reality, the enterprise can’t sit still. As data and feedback calls for new features, new services, perhaps the migration of customers to completely different platforms, the risk profile and metrics associated with a product will keep changing. And when that change comes, the team needs to go back and review the risk balance, gauging where additional investments or resources may be needed (or, more happily, where risk has been reduced and resources can be shifted elsewhere). This won’t always be a seamless journey, but when business leaders have made it clear it’s a strategic necessity and teams grow familiar with the processes required, balancing risk with secure delivery becomes second nature. The safest organisations will be those that embrace risk management as a culture, rather than just a process checkbox to tick.

Technology Hub

An in-depth exploration of enterprise technology and engineering excellence.

Explore
Related blogs
Security

Better security by design

Gillian "Gus" Andrews
Learn more
Security

A lean model for security and security practices

Dave Elliman
Learn more
Security

Design thinking to increase information security and data privacy

Bridget Sheerin
Learn more
  • What we do
  • Who we work with
  • Insights
  • Careers
  • About
  • Contact

WeChat

×
QR code to ThoughtWorks China WeChat subscription account

Media and analyst relations | Privacy policy | Modern Slavery statement ThoughtWorks| Accessibility | © 2021 ThoughtWorks, Inc.