Resilience Beyond Business Continuity Planning

DESCRIPTION

How can you best articulate the value of your security program to non-security professionals in your organization? Or even to board members?

It starts with asking questions. Five of them, to be exact.

Emily Heath, DocuSign’s Chief Trust & Security Officer, covers five questions or pillars to ensure you’re able to confidently speak about your company’s security program.

In this episode of GRC & Me, Emily returns to the podcast to discuss her advice for organizations seeking to drive transparency and competence with both their board of directors and customers. Because the pandemic has changed the risk landscape, Emily believes that the world of GRC must become more resilient. By that, she means organizations should improve their ability to rebound with minimal impact to business.

A global pandemic has taught both organizations and people that risk is everywhere. And while Emily, who also serves on the board of directors for LogicGate and NortonLifeLock, is determined to help organizations prepare for risks, she also finds time for the small things, such as the cooking blog she began during the pandemic.

💬 Key quote: “[W]e believe in being very transparent with our customers. We want them to feel they have confidence in what we do. And to me, that's the difference between trust and security. Security is security technology and that's great. And we have to do that, but trust is entirely different. That's about building relationships with people.”

GRC Highlights 

💻 The pandemic has changed the risk landscape. It has forced organizations to reflect on their security programs due to the shift in the risk landscape. Though DocuSign had remote work-friendly technologies like Slack and Zoom in place, the pandemic shifted the risk profile of how these technologies are used on a day-to-day basis, forcing DocuSign to be more nimble as casual interactions in office hallways shifted online.

💻 The GRC world tends to be stale, stagnant at times — the pandemic has forced organizations to embrace the concept of resilience. Driving resilience is a key component in organizational responsibility, Emily says. It’s how an organization can overcome challenges, such as global pandemics, cyber events, or natural disasters. Emily does just this by questioning what risk means for DocuSign and how the organization can become more  resilient. Traditional disaster recovery and business continuity has expanded as organizations approach risk differently — with iteration and communication rather than rigid processes.

💻 Emily’s experience sitting in various boardrooms has given her insight into how security programs can be better built to address everything from a global pandemic to cyber security threats. Her advice for security professionals?

Ask these five questions to fully understand the security environment:

1. What matters to you the most?
2. What are you trying to protect and where is it?
3. How are we protecting the asset?
4. Where are we most at risk?
5. How resilient and prepared are we to deal with something going wrong? Answering these questions will prevent organizations from relying on generic information to determine vulnerability.  It will also enable a workflow to sensibly adjust to various security threats.

💻 Leverage the five pillars to drive positive business outcomes. Emily asserts that answering the five questions (i.e., pillars) instills confidence in customers because knowing the answers helps organizations better articulate information, which results in trust transparency beyond the data. Articulating risk in a business manner can help organizations build relationships, resulting in trust transparency and better business outcomes. This not only works with customers, but also for internal teams.

💻 The technology permeating any organization is part of an ecosystem. Technology, when applied to operationalize a GRC program, should bring all moving pieces, such as third parties, together. Emily rejects the notion that information should sit in a spreadsheet with a “pretty Tableau diagram on top of it.” Instead, she encourages organizations to use programs, such as LogicGate, to centralize the information.