x

What future are you building?

Get insights from our founders and portfolio news straight to your inbox.

  • Operator Sessions
  • 22 November 2023
  • 10 min read
  • Words: Northzone

Operator Session: Navigating the Landscape of Technology Risk Management (Including a Checklist)

In our latest Operator session we delved into technology risk management with expert Kasey Chappelle, founder of Simple Risk and ex-GoCardless VP, Enterprise Risk and Data Protection Officer. Her experience at previous organisations including corporate environments such as American Express, Vodafone, and eBay have given her invaluable insights on a wide array of topics, shedding light on building good risk management programs covering privacy, security, and resiliency.

 

Establishing mature risk management practices

Throughout her career, Kasey built out the company’s privacy, security and resiliency risk programs and took on incident management and supplier and third-party risks. She provided concrete examples to highlight the importance of early thinking about technology risk practices. Anecdotally, GoCardless began to build maturity after an office break-in and the effective date of GDPR (on May 25, 2018) highlighted that security and privacy were essential for the growing company.

It’s a common trend: many companies start these programs when something has gone wrong, often having a hard time justifying the financial and time investment before then. When something goes wrong significantly, it could damage credibility and market share, hinder the next funding round, or materially slow down the sales cycle.

At first, the teams with responsibilities in these areas were challenged by siloed functions. The security team struggled with communication and prioritisation, while the privacy team couldn’t build without dedicated engineering support.

As part of a new reorganisation, Kasey took on the lead of Privacy and Security Risk, working together with the lead of Privacy and Security Engineering. Later, the engineering team became the Foundations team, covering all things related to the safe, secure and stable operation of the company’s core platform, while Kasey’s team also took on business continuity, compliance with financial services operational resilience rules, and later, operational and enterprise risk. This dual-leadership approach fostered collaboration across teams, streamlined requirements, and improved communication with the board and senior leaders about risk.

Understanding technology risk: privacy, security and resiliency

We started the session with a discussion on the overlaps and differences between privacy, security, and resiliency.

Both privacy and security are necessary for comprehensive data protection. Security is about how companies protect systems and data from internal or external threats. If security is weak, then privacy is not protected. But security could be very strong and privacy problems could still arise, as privacy is related to the decisions the company makes about how personal data is handled.

There is also overlap between security, resiliency, and continuity: Security prevents disruptive breaches, such as denial-of-service attacks, while Resiliency and Continuity plans focus on preventing or recovering from all kinds of disruption, as per the below.

Getting started: Ownership and accountability

The early need for ownership and accountability is critical when companies get started on security and privacy initiatives. Smaller companies often depend on motivated volunteers, but they will hit a tipping point as they scale where someone will ultimately have dedicated responsibility. Even in a small structure, appointing a responsible person will jumpstart progress and ensure continuous improvement. They can stay agile in the face of hiring challenges by thinking about upskilling existing staff and supporting their growth through certifications and external mentorship.

Kasey also introduced the concept of an executive sponsor: a senior leader accountable for these initiatives. She also emphasised on the importance of communicating early and often about plans to set the tone from the top and generate energy and participation.

 

Next steps: Know what you need to protect

The first step to strong technology risk practices is to know what you’re trying to protect by keeping track of critical teams, tools, suppliers, and data.

Companies that start with siloed expertise in security, privacy and continuity will often find themselves tracking essentially the same things in multiple ways. A stakeholder with a GDPR oversight will construct the legally required “register of processing activities” while those with a security certification might start with an “asset register”, and business will call for a “business service map”, among other examples.

Kasey suggests consolidating all these processes into a single inventory. Companies can use the tools your engineering or product function already uses (for example, if they already use a service catalogue like BackStage) so that it’s kept up to date during the ordinary course of business. By consolidating and integrating information into daily work tools, teams correct inaccuracies and ensure the inventory’s continued relevance while building a strong knowledge base along the way.

Furthermore, assigning a criticality to each item in your inventory can help you focus and prioritise. Start with a rating scale such as low-medium-high, based on that item’s impact on your operations, the data sensitivity or the applicable regulations. You can then focus on the things that matter, balance controls with the need to move quickly and avoid locking down what doesn’t justify such a qualification.

As you grow, naming owners for the items in your inventory once again will be critical to your success as your team grows.

 

Know what good looks like 

Once you’ve identified what you need to protect, how do you know when you have the right protections? It can be hard to prove a negative in privacy, security and resiliency: has nothing gone wrong because you were good or lucky? Companies can track how well they’re covered by using common control frameworks and tracking against benchmarks.

But which controls are right for you? Paying attention to what your stakeholders care about is one way to frame the answer: regulators, partners, investors, and customers each have expectations related to security, privacy and resiliency, and this will drive some of the decisions you make about where to allocate your resources. 

 

Keeping track of customer’s feedback can help anticipate what kind of controls they’ll expect. If your sales team is tracking customer demands somewhere, you can add this framework on top and you may find that there’s a common direction. For example, customers may be looking for a certain type of certification. Kasey has found that, in security, European customers tend to look for ISO 27001 and Americans for SOC2. Other sources, such as the NIST Privacy and Cybersecurity Frameworks, can be useful guides for companies not seeking certifications. 

Regardless of what you’re choosing, GRC software (Governance, Risk, and Compliance) can help you track controls and automate audit cycles, saving time and resources. These tools come particularly in handy if you have multiple control frameworks to keep track of. 

If you choose ISO, you may need multiple certifications to cover all areas of technology risk. ISO 27001 (for security), ISO 27701 (for privacy) and ISO 22901 (for business continuity) cover all three. Kasey explains that while these standards are distinct, they share commonalities in how you construct a “management system”, allowing companies to build a consolidated and harmonised program. 

Some lessons Kasey took away from building out control frameworks were

  • Write things down as you go along. Documenting policies and procedures will only get harder as you grow.
  • Make ‘good product design’ everyone’s responsibility. Embed privacy, security and resiliency guidelines into product development. Simple checklists can do wonders. 
  • Before you decide to lock everything down (which can frustrate your employees and challenge your culture), focus on knowledge rather than control.
  • Don’t go all in on incident management without building the action tracking and trend analysis that it enables. Otherwise, you get all the bureaucracy with none of the benefits.  

Finally, telling the story

After you’ve identified 1) what you need to protect and 2) what controls you have in place to protect it, you’ll need to track progress and communicate about risk. Senior leaders and the Board will want to know how you’re protecting the company and their investment. In these situations, always remember that you’re talking to non-experts, with lots on their plate and often a short attention span.

Using data, KPIs, and common enterprise risk tools, like heat maps for risk events and red/amber/green ratings can help you convey important information, but don’t neglect the narrative that you place on top. Stay focused on achieving your set targets and don’t get distracted. It’s also very important to highlight the benefits over the negative aspects.

The overall narrative should focus on demonstrating progress, addressing challenges, and showcasing the value of a strong technology risk programme. Being able to explain how risks affect the company can help guide good decision-making, allocate resources efficiently and help prevent events that get in the way of success. Be honest with your board about what you can fix, in what timeframe, and with your resources.

Don’t leave without this quick checklist 

  • Name an owner. Treat good technology risk as both a project and ongoing BAU. Assign someone with dedicated responsibility and an accountable executive sponsor. 
  • Launch with fanfare. Communicate to create excitement, recognise participation and set the tone from the top. 
  • Know your estate. Understand what services, tools, suppliers and teams are critical to your product. Those should get most of your attention. Track them somewhere central to your operations and assign an owner responsible for keeping it up to date. 
  • Learn from your stakeholders. Have a way to identify and track what your stakeholders want – customers, investors, regulators and partners will need to know that you are keeping them safe. 
  • Know what good looks like. Establish your top controls and critical benchmarks, stay focused on those targets, and track and communicate progress against them.
  • Tell the story. Use data and narrative to explain benefits and show progress. Don’t be afraid to tell your Board what you’ll get to, when, and what you can’t achieve with current resources. It’s their job to understand and challenge those tradeoffs.

Lastly, Kasey recommends

  • Data Contracts, by Andrew Jones
  • Inavate UK’s ISO audit and consultancy services
  • A tool that can track shadow IT, like Torii
  • A tool that can keep track of your inventory 
    • Data mapping: Transcend (also a great overall privacy management tool, especially if you’re struggling with DSARs)
    • Service catalogue: Backstage
  • A tool for keeping track of control frameworks (GRC – “Governance, Risk & Compliance”), like  Hyperproof or Anecdotes
  • A tool for response libraries, customer due diligence and RFP management, like RFPio
  • An email security tool to prevent data loss and phishing, like Tessian
  • Slack-integrated incident management from Incident.io