In today's age of high-profile data breaches and rapidly evolving regulatory landscapes, security, risk and compliance (SRC) professionals have their work cut out for them.
In this Q&A, Joe Colaizzo, Mediant Director of Risk Management, and Will Pulsifer, Mediant Director of Security, discuss the critical role of the SRC Team, how their job responsibilities have evolved over time, and the impact of their work on the client experience.
Q: What are the main responsibilities of the SRC Group at Mediant?
Joe: It's our responsibility to instill a culture of risk awareness and compliance among all employees. We assist the organization in dealing with any known exposures and provide foresight into threats that may be coming.
We ensure security, risk and compliance considerations are part of a smooth onboarding experience for new clients. In addition, when our organization develops new products, security, risk and compliance considerations are part of a product's design.
Will: My role generally focuses on information security, cloud security and cyber risk management. While there's an operational side to that, we are increasingly focused on making risk management a tool for business development and ongoing corporate governance. We're moving more towards a place of risk management by design rather than as a reaction to events.
Q: Does the SRC Team work closely with other groups within Mediant or does it operate independently?
Joe: SRC is a distinct and independent business unit, which allows us to be objective in how we assess and recommend risk and security practices that the organization might need. We are in daily partnership with Technology, Operations, business units, and Sales.
Will: I have daily conversations with people in every part of the company and at all levels. We work hard to create and maintain a culture of openness and collaboration; if someone has a question or concern, I want them to feel comfortable to come to somebody on my team to find answers.
Q: How have SRC teams evolved in the last 20 years? How have companies had to adapt?
Joe: It's a mindset shift to become more proactive than reactive. Twenty years ago, the approach was largely focused on "risks that we know" so it was more of a reactive approach. Now, you've got to be thinking ahead. What don't we know, what could go wrong, where could we improve? It's not easy, especially when business cycles are good, but complacency is one of the biggest risks of all. That's the biggest change.
Will: The speed and volume of threats or potential threats keep increasing. The volume of data that's transacted today is more than it ever has been, and it moves around faster. So the toolsets, insight and training needed to react quickly and understand the changing threat landscapes is significant. This is something that's going to continue to get more and more essential and complex over time and businesses that invest here are going to be in a better place than those who choose not to.
There's no way you can do this effectively without taking advantage of the democratization of tools that the cloud offers. At Mediant, taking advantage of the breadth and scope of cloud services is a huge benefit to our ability to see patterns in data and better support our customers.
Q: What are the most important skills for SRC team members to have?
Joe: Technical skills are important. You need to understand risk management fundamentals, security fundamentals, technology, and the basic protocols. In addition, being able to learn and adapt in this fast- paced environment is critical.
However, I also think that relationship management is one of the most important competencies for these professionals to have. If a risk, security or compliance professional is not able to build trusted, working relationships with the rest of the organization, that will definitely impede transparency and the ability to efficiently mitigate risks and exposures.
Will: Having a good and open relationship with the executive management team is also key because that's who is going to evangelize, help spread the message, and give us the resources we need to be successful over time.
Q: In the highly regulated world of investor communications, effective SRC processes are critical in delivering optimal client results. Does SRC play a role in the client service lifecycle and, if so, how?
Joe: Yes, and at all points along the lifecycle. When Mediant onboards a new client, the Security, Risk and Compliance Team are all part of that process. That often includes being involved with client proposal efforts. Our clients want to know that if they work with Mediant, their data, clients and business are in good hands. When we win new clients, we become an extension of their business. Our SRC practices then become an ongoing matter of evaluation and improvement.
Will: In the last 10 years, I don't think there's been a renewal or a prospective pitch that hasn't included a lengthy questionnaire about security and risk management. It's one of the first things that anybody's going to do for due diligence. It's another way that SRC can be a part of the sales and customer support process and has the added benefit of giving us a window into the risks our clients care about.
Q: How can organizations assess their risk-awareness culture?
Joe: No matter the organization, errors and issues will be experienced. The real indicator is whether the trendline is going up, staying flat or going down. One way tells you that folks in the business are operating safely, while the other can hint that they may be getting a little too risk tolerant.
The tone set at the top is also important. A key driver of our success is the board and executive team mandating good risk and security practices.
In addition, another qualitative way I like to assess culture is how many times people outside of SRC bring potential issues to us. The more, the better. It means everyone's thinking about this.
Will: One way an organization can quickly assess its risk-aware culture is by how much it is willing to pay for insurance. There's a direct correlation between the cyber risk insurance you carry and the mitigations and controls you can demonstrate to your carrier. Other things to consider are your awareness and handling of data: What data do we have? How much data do we have? Is there a shared understanding of our data? If the answer is yes to these kinds of questions, then you're in pretty good shape.
For more information, contact us.
