8NOVEMBER 2020IN MYOPINIONBy Eric Bonnell SVP, Manager ­ Technology and Asset Risk ,Atlantic Union BankHow can an Information Security professional work more closely with the Enterprise Risk Management team? My answer is simple. Learn to speak the same language!As I write this, I am thinking of a member of my staff that I am growing into a Technology Risk role. I am working with him on this: the trick to understanding risk from an enterprise perspective is to speak the same language as the business. Relationship building is your key. Understanding your place in the Enterprise Risk Management ecosystem helps.Is This How You Probably Perceive Risk?Information Security professionals use frameworks for threats, vulnerabilities, and controls to address risk. As these frameworks are technical in nature, they are usually very prescriptive, and control-centric. After all, when you are looking to prevent the threat of protecting the data on your network, most technology controls are cut and dry: encrypt wherever possible, provide strict segmentation for the critical systems your network, closely control file access, and put in a process to monitor and alert for threat events. To understand this, refer to the closest technical framework: NIST, FFIEC, PCI, etc. All of these are control-centric because the issues in technology are, for the most part, static and predictable once understood.How Most of Enterprise Risk Perceives RiskThe processes on the business side are not as predictable. In fact, business processes are fluid and always changing, as the business is always growing, adapting, moving, reorganizing, and, well, changing. This is the nature of business, as its main function is to bend toward opportunity and to be profitable. As a result, Operational WORKING MORE EFFECTIVELY WITH ENTERPRISE RISK MANAGEMENT
< Page 7 | Page 9 >