Risk Culture

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> As we're winding down the section on governance,
00:00
I want to talk a little bit about culture and ethics.
00:00
If we talk about risk culture,
00:00
so these are the ways we behave,
00:00
or this drives what we consider to be normal,
00:00
how we typically behave within the organization,
00:00
and this must come from the top.
00:00
A governing entity set the tone for
00:00
the organization and how they
00:00
behave and how they communicate,
00:00
and whether or not they enforce policies or allow
00:00
security breaches to slide
00:00
or don't use risk management to make their decisions.
00:00
Governing entities need to make sure that what they
00:00
do is congruent with what they say and vice versa.
00:00
If that's the case,
00:00
then we'll see an organization where
00:00
policies are followed and if they're not,
00:00
there's some form of
00:00
correction there maybe retraining, perhaps.
00:00
If you want to see
00:00
policies get followed, start enforcing them.
00:00
I'm a big believer in that.
00:00
Just writing a policy doesn't do anything.
00:00
Policies are only as good as their enforcement.
00:00
It's great to have these terrific policies written down.
00:00
If senior management really wants to
00:00
change the culture of the organization,
00:00
they need to be seen following
00:00
the policies themselves and they
00:00
also need to be seen enforcing the policies.
00:00
What we have is overarching risk culture as a whole.
00:00
Maybe in our industry,
00:00
certain industries have certain approaches to risk,
00:00
certain feelings, certain activities
00:00
and behaviors with risk.
00:00
Then within that is our organizational culture,
00:00
and how we as an enterprise do our business.
00:00
Our organizational culture is
00:00
going to influence individual behavior.
00:00
Of course it will. We're going to act
00:00
in accordance with the culture in most times.
00:00
That's going to shift how I behave,
00:00
and how I behave is going to be dependent on and
00:00
a reflection of and impact what my personal ethics are.
00:00
Organizational behavior is going
00:00
to shape my personal ethics.
00:00
This maybe a better way to say that.
00:00
Then my personal ethics are going to
00:00
influence whether or not I'm predisposed to risk.
00:00
I just wanted you to see this flow,
00:00
but it's got a flow down from the top.
00:00
A governing entities have to be on board.
00:00
Their job they determine what their risk appetite
00:00
is through an assessment
00:00
to determine if we're in alignment with that appetite,
00:00
then figure out what the priorities are.
00:00
Figure out interventions to influence the risk culture,
00:00
implement and engage those priorities,
00:00
and then reassess to monitor success and start all over.
00:00
What we're looking at here, senior leadership,
00:00
figure out what the risk appetite is,
00:00
assess where you are,
00:00
figure out what to do next and prioritize,
00:00
figure out how these changes
00:00
are going to be actually implemented,
00:00
then implement them, reassessing,
00:00
continue to monitor, just like always.
00:00
Our risk culture is going to
00:00
ultimately wind up shaping our ethics,
00:00
and we'll talk about ethics in the next section.
Up Next