Throughout her career, Kasey built out the company’s privacy, security and resiliency risk programs and took on incident management and supplier and third-party risks. She provided concrete examples to highlight the importance of early thinking about technology risk practices. Anecdotally, GoCardless began to build maturity after an office break-in and the effective date of GDPR (on May 25, 2018) highlighted that security and privacy were essential for the growing company.
It’s a common trend: many companies start these programs when something has gone wrong, often having a hard time justifying the financial and time investment before then. When something goes wrong significantly, it could damage credibility and market share, hinder the next funding round, or materially slow down the sales cycle.
At first, the teams with responsibilities in these areas were challenged by siloed functions. The security team struggled with communication and prioritisation, while the privacy team couldn’t build without dedicated engineering support.
As part of a new reorganisation, Kasey took on the lead of Privacy and Security Risk, working together with the lead of Privacy and Security Engineering. Later, the engineering team became the Foundations team, covering all things related to the safe, secure and stable operation of the company’s core platform, while Kasey’s team also took on business continuity, compliance with financial services operational resilience rules, and later, operational and enterprise risk. This dual-leadership approach fostered collaboration across teams, streamlined requirements, and improved communication with the board and senior leaders about risk.
We started the session with a discussion on the overlaps and differences between privacy, security, and resiliency.
Both privacy and security are necessary for comprehensive data protection. Security is about how companies protect systems and data from internal or external threats. If security is weak, then privacy is not protected. But security could be very strong and privacy problems could still arise, as privacy is related to the decisions the company makes about how personal data is handled.
There is also overlap between security, resiliency, and continuity: Security prevents disruptive breaches, such as denial-of-service attacks, while Resiliency and Continuity plans focus on preventing or recovering from all kinds of disruption, as per the below.
The early need for ownership and accountability is critical when companies get started on security and privacy initiatives. Smaller companies often depend on motivated volunteers, but they will hit a tipping point as they scale where someone will ultimately have dedicated responsibility. Even in a small structure, appointing a responsible person will jumpstart progress and ensure continuous improvement. They can stay agile in the face of hiring challenges by thinking about upskilling existing staff and supporting their growth through certifications and external mentorship.
Kasey also introduced the concept of an executive sponsor: a senior leader accountable for these initiatives. She also emphasised on the importance of communicating early and often about plans to set the tone from the top and generate energy and participation.
The first step to strong technology risk practices is to know what you’re trying to protect by keeping track of critical teams, tools, suppliers, and data.
Companies that start with siloed expertise in security, privacy and continuity will often find themselves tracking essentially the same things in multiple ways. A stakeholder with a GDPR oversight will construct the legally required “register of processing activities” while those with a security certification might start with an “asset register”, and business will call for a “business service map”, among other examples.
Kasey suggests consolidating all these processes into a single inventory. Companies can use the tools your engineering or product function already uses (for example, if they already use a service catalogue like BackStage) so that it’s kept up to date during the ordinary course of business. By consolidating and integrating information into daily work tools, teams correct inaccuracies and ensure the inventory’s continued relevance while building a strong knowledge base along the way.
Furthermore, assigning a criticality to each item in your inventory can help you focus and prioritise. Start with a rating scale such as low-medium-high, based on that item’s impact on your operations, the data sensitivity or the applicable regulations. You can then focus on the things that matter, balance controls with the need to move quickly and avoid locking down what doesn’t justify such a qualification.
As you grow, naming owners for the items in your inventory once again will be critical to your success as your team grows.
Once you’ve identified what you need to protect, how do you know when you have the right protections? It can be hard to prove a negative in privacy, security and resiliency: has nothing gone wrong because you were good or lucky? Companies can track how well they’re covered by using common control frameworks and tracking against benchmarks.
But which controls are right for you? Paying attention to what your stakeholders care about is one way to frame the answer: regulators, partners, investors, and customers each have expectations related to security, privacy and resiliency, and this will drive some of the decisions you make about where to allocate your resources.
Keeping track of customer’s feedback can help anticipate what kind of controls they’ll expect. If your sales team is tracking customer demands somewhere, you can add this framework on top and you may find that there’s a common direction. For example, customers may be looking for a certain type of certification. Kasey has found that, in security, European customers tend to look for ISO 27001 and Americans for SOC2. Other sources, such as the NIST Privacy and Cybersecurity Frameworks, can be useful guides for companies not seeking certifications.
Regardless of what you’re choosing, GRC software (Governance, Risk, and Compliance) can help you track controls and automate audit cycles, saving time and resources. These tools come particularly in handy if you have multiple control frameworks to keep track of.
If you choose ISO, you may need multiple certifications to cover all areas of technology risk. ISO 27001 (for security), ISO 27701 (for privacy) and ISO 22901 (for business continuity) cover all three. Kasey explains that while these standards are distinct, they share commonalities in how you construct a “management system”, allowing companies to build a consolidated and harmonised program.
Some lessons Kasey took away from building out control frameworks were:
After you’ve identified 1) what you need to protect and 2) what controls you have in place to protect it, you’ll need to track progress and communicate about risk. Senior leaders and the Board will want to know how you’re protecting the company and their investment. In these situations, always remember that you’re talking to non-experts, with lots on their plate and often a short attention span.
Using data, KPIs, and common enterprise risk tools, like heat maps for risk events and red/amber/green ratings can help you convey important information, but don’t neglect the narrative that you place on top. Stay focused on achieving your set targets and don’t get distracted. It’s also very important to highlight the benefits over the negative aspects.
The overall narrative should focus on demonstrating progress, addressing challenges, and showcasing the value of a strong technology risk programme. Being able to explain how risks affect the company can help guide good decision-making, allocate resources efficiently and help prevent events that get in the way of success. Be honest with your board about what you can fix, in what timeframe, and with your resources.