Enquire Now

Data and analytics

Some additional information in one line

Learning analytics

Transform your data into meaningful insights.
Learn More

Applications and data

Bespoke solutions to simplify and streamline your workflows.
Learn More

Artifical intelligence

Harness the power of AI to learn more from your data.
Learn More

Consulting

Some additional information in one line

Edtech

Some additional information in one line
Learn More

Change management

Some additional information in one line
Learn More

Cyber risk

Some additional information in one line
Learn More

ICT strategy

Some additional information in one line
Learn More

Managed services

Discover why more organisations are benefiting from managed services.

ICT managed services

We can manage all aspects of your ICT operations - from day-to-day tasks to long-term strategy.
Learn More

Managed data and analytics

Need some help with your data? Let us manage your systems and data for you.
Learn More

Escalation and remote support

Sometimes you just need a sounding board, or somebody to escalate a problem to. We're here to help.
Learn More

Our people

Multiple menus to choose from. Each drag-n-drop customizable.

Our values

Learn about the values that drive the people at RTG.
Learn More

Current vacancies

If you're looking for the next step in your career, RTG might have the perfect role for you.
Vacancies

Join us

If you like what you see, why not apply for a position with us? Submit your CV here.
Apply Now

Insights

3 min read

Risk Management: “You can’t manage what you can’t measure!”

Sep 22, 2020 11:26:07 AM

There isn’t one rule that fits all organisations for privacy risk management; it comes down to the contexts, needs and priorities of the organisations itself. In a recent webinar I attended, it was stated that risk management generally leads to one of three outcomes:

  1. Accept - Organisations can accept risk on the basis that the process under consideration is worth potential consequences.
  2. Transfer - Organisations can transfer risk by outsourcing to a third party or vendor to protect the area of concern.
  3. Mitigate -Organisations can mitigate the risk by scoping and leading the implementation of IT security changes, controls and initiatives.

Regardless of accepting, transferring or mitigating risk, you don’t need to be an information privacy expert to understand the correlation between an organisation’s privacy practice and its preparedness to respond to a data security incident. It’s quite clear; poor privacy structures and processes significantly decrease an organisation’s ability to respond with efficiency, effectiveness, and completeness. To validate this statement, in its recent research report, Osana found organisation’s with poor privacy practices were 80% more apt to experience a data security incident compared to organisations shown to have stronger practice.

Although it’s commonly stated “it’s not a matter of if, but when” in relation to dealing with a data security incident, organisations continue to struggle with implementing data privacy protocols according to a recent TechRepublic study.

If an organisation chooses to mitigate its risk, of the three options this is usually the more difficult to manage because of potential impacts on time, budgets and personnel within the organisation to facilitate mitigation strategies. Even so, when it’s all said and done, how does an organisation know its risk mitigation practices, programs and processes actually work?

To assist with insights on this, RTG has designed a process that analyses qualitative data to calculate an organisation’s Preparedness to Respond (“PtR”) score. This process uses 104 data points which are ‘best practice’ towards information security risk management. The PtR score includes elements of technology controls, IT processes and systems, policy and compliance, stakeholder knowledge and training, and team/support structures. Each element has its own rating in terms of its risk impact (low versus high impact), and influence on an organisation’s response preparedness (low versus high preparedness).

As an example, formal processes such as a Data Breach Response Plan can positively influence an organisation’s preparedness to respond to a data security incident. However, if stakeholder training or communication is not effective, this will negatively influence an organisations preparedness.

RTG has facilitated this PtR process in a number of organisations from within education and local government sectors and the outcomes have generated deep insight into the respective approaches towards risk management and what opportunities exist to minimise risk.

So, how can an organisation strengthen its privacy practice? Better still, how can an organisation gain insight on whether its risk mitigation practices, programs and processes actually work? The PtR scoring system is one way to find out. A mentor once told me “you can’t manage what you can’t measure”. It’s through the use of PtR metrics where you can identify, and measure, what elements are having the highest impact on risk mitigation proactivity, and where to focus attention to strengthen a safe, secure digital network.  All based on your organisation’s contexts, needs and priorities.

If you’re interested to learn more about RTG’s Preparedness to Respond process, please reach out to me to discuss.

(e) mgillies@rtg.com.au

(p) 1300 362 456

Topics: Risk Management

Mel Gillies
Written by Mel Gillies

Mel Gillies is Director Consulting - Risk and Security at RTG. Mel has recently been awarded her Master of Education (Research) comparing global and local privacy regulations, contextualising this to educational data governance and how these inform the privacy and security of school data within the ‘Educational Data Economy’. A qualified Lead Auditor ISO27001: Information Security Management System, Mel works closely with organisations to assist in identifying and protecting against cyber threats, whilst strengthening incident response plans to support timely recovery to normal operations and reduce the impact from a data breach or cyber security incident.

Featured