As we continue to share the knowledge at Knightec, we asked our colleague and senior adviser, Patrik Malmenklev, to share his thoughts on cybersecurity from a risk management perspective. Ideally, risk management helps identify risks early and implement appropriate mitigations to prevent incidents or attenuate their impact, so much is true.
But the underlying problem with risk management is not technical or even process, but ownership. I can tell you many examples of the lack of ownership and accountability for a product and its associated risks. So, getting a good risk management process in place is a transformation journey around who does what and who is accountable at the end of the day.
Let me explain what I mean by this. If you could appoint a clear owner of the product or service, a component, or even a part of the product you offer to the public, that person should also be the Risk Owner. It would give the development part of your organization a clear receiver of what they deliver and allow the product owner to provide super clear requirements for the product and, naturally, for the cybersecurity part.
This is a great way to mitigate risks down to an organizational level. It also includes a life cycle of thinking around the risks associated with the product, communicating with all stakeholders, and sometimes directly or indirectly with customers. The Risk Owner should also own the refinement of the risk assessment form, i.e., a TARA to the Enterprise Risk Management level, so it makes sense to those people and can be dealt with appropriately. While the design risks are very much in focus for the TARA experts, those risks mean something completely different when moving up the ladder in the company. It also gives the Enterprise Risk Management level the ability to provide requirements down the ladder, which is much needed and, unfortunately, very much missing all too often. The Product Owner / Risk Owner should know how to navigate this field of different stakeholders and become a Master of Communication within the company.
My experience from working with large international companies for almost a couple of decades is that most understand the *RACI model. Still, most have their comfort zone around the Consultant role, which naturally sparks many exciting discussions in the meeting rooms. Still, things rarely happen after the meeting, when too few understand the weight of taking the role (or being forced to) of Accountable. Instead, These discussions should be steered by the Accountable person to get the answers and results needed to solve the present questions and challenges. Once we have solved these critical issues, we should understand that we know two essential aspects: the as-is and wanted stages.
Now, we are facing a new phase and discussing change management. It is a complex journey and something that Knightec excels at. We would be happy to help customers understand where they are on their journey, where they need to go, and how to get there safely.
In a perfect world, we would like to involve different organizational, change management, and risk management experts to spark the dialogue on moving forward, followed by setting up a plan to reach your goals.
It starts with the dialogue!
*RACI Model (Responsible, Accountable, Consulted, Informed)
Patrik Malmenklev is an Advisor at Knightec with over 20+ years of international experience in IT and Cybersecurity. Patrik’s interest in Cybersecurity began with gaming, and he now focuses on helping others understand the relationship between quality, safety, and Cybersecurity.
At Knightec, Patrik works with teams to address regulatory compliance and security awareness in the E-Mobility sector, aiming to enhance brand value and product quality.