I recently attended the Disaster Recovery Journal (DRJ) Fall World 2018 conference in Phoenix, Arizona. The conference was chock full of helpful discussions about business continuity management (BCM), but another consistent theme this year was risk management. RSA is the market leader in risk management solutions and we had a strong presence with dozens of interested visitors at our booth. I was also interviewed (listen to the full interview at the bottom of this blog) at the conference and asked by the host about what RSA does. I explained our mission and emphasized we try to help our customers understand two very important concepts as they implement and mature their resiliency and risk capabilities - Business Driven Security and Integrated Risk Management (IRM).
First, I explained that Business Driven Security is so critical because cyber risks and threats are no longer only an IT problem. They are a business problem and a challenge to building a resilient business. However, a "gap of grief", or lack of mutual understanding between IT and the business, gets in the way of the business' ability to prioritize risks and threats and take appropriate actions. In fact, this gap can exist within IT as well, as IT risk, recovery and security groups may not be working well together either.
Next, I explained that IRM is the integration, operationally and strategically, between risk, compliance, BCM, audit and other groups striving to manage risks and compliance. These groups are often siloed, use different tools and approaches, and because of the separation cannot combine or communicate risk and compliance status holistically enough for executives to understand or make decisions with.
These two themes resonate with our customers and give them guiding principles upon which to build their risk programs. However, the principles are not just important to risk management. They are also fundamental to developing resilient organizations that can stand up to the increasing onslaught of disruptions impacting today's enterprises. These principles help resiliency programs with similar challenges of bridging business and IT recovery, better managing risks, and communicating the right priorities up the chain. Resiliency activities and goals are a critical part of IRM and can become a competitive advantage for organizations that strive to mature.