Security Risk as a Business Discussion

cyber-risk-business-discussionThere is a lot of buzz in the market this year about risk management and how hard it is given current architectural complexity and the increased sophistication of attackers. Add to this the continued dearth of talent in cybersecurity.

Enter cybersecurity service providers to assist the organization with a broad range of services: risk assessments replete with gap heatmaps and remediation suggestions; strategic program design including security best practices; and a nascent but trending offering to educate the board, executive management team, and CISOs on how to have the risk conversation within a business context. Experienced CISOs are having this conversation among themselves and in fact, one savvy security leader is calling for Risk as a Lingua Franca. Worthy service providers are helping to create this lingua franca and to educate their clients through enterprise risk management offerings, continuous vulnerability monitoring, and penetration testing.


This is evidence that risk management, while not new to the business, is gaining popularity in security teams. Or maybe it’s that the board and executives will no longer satisfy unfettered budget demands without it. Regardless, service providers beyond the Big 4 have jumped into this market. Big 4 services span the gamut from traditional risk assessment and analysis, through roadmaps that assist clients with identification of business risk, to gap remediation. Newer product offerings (RiskSenseSecurity Scorecard, and Balbix just to name a few) focus on security risk quantification visualized through metrics and heatmaps. Communication service providers  are also stepping up their game, like Verizon with its Verizon Risk Report announced at last year’s RSA conference. Another is CenturyLink’s partnership with RiskSense to provide a visibility across Centurylink’s behemoth network and out to its managed security service customers.

My colleague Jon Oltsik has done primary research in this area and has written extensively about the risk management topic. What’s great about ESG analysts is that we share data! The following is my interpretation of some of Jon’s data considering the service provider landscape. In my ESG Brief, Risk Management Services, I highlight just a few companies to provide context; this is by no means a full assessment of their capabilities.

ESG data shows that cyber risk management has become significantly more difficult, which lays the foundation for increased assistance from service providers.

Service providers through time and materials-based engagement alongside growing software-as-a-service (SaaS) offerings like the ones mentioned above not only assess the current risk posture and remediate gaps of an organization, but also work to create formal documented processes and reporting in financial terms that business executives and board members can understand, an which area only 54% of our respondents say they are “mature” today.

The Big 4 have been working to bridge this gap for a while now with their background in business risk, accounting, and advisory to executives. Cybersecurity has been a natural extension of enterprise risk management. Witness PwC’s Strategy and Transformation offering, which helps enterprises develop business-focused strategies that support growth by making security and privacy an enterprise-wide priority, and Accenture’s Cyber Risk and Resilience capability.

Cybersecurity is maturing as a market. We’re at an inflection point right now that escalates the need to elevate security to an enterprise-wide issue. Service providers assist security teams in gap analyses and roadmaps for risk management. They also assist the board and executive teams to ask the right questions and provide reports to CISOs and security execs to help create the lingua franca so desperately needed.

Topics: Cybersecurity