Scott Bridgen serves as Head of GRC at OneTrust, the world’s most widely used privacy, security, and trust technology platform.
In his role, Scott is responsible for driving the development and delivery of OneTrust’s integrated risk management product as well as driving the refinement of the toolset and offerings. He advises companies throughout their risk management implementations to establish processes to support operations and align with their enterprise objectives, including adopting industry best practices and adhering to requirements relating to relevant standards, frameworks, and laws (e.g. ISO, NIST, SIG and more).
Scott works with clients to realise the extent of their risk exposure, helping clients to map their digital infrastructure, assess risks, combat threats, monitor ongoing performance, and document evidence throughout the risk lifecycle. Scott Bridgen serves as a GRC Consulting Director for OneTrust GRC– a purpose-built software designed to operationalise integrated risk management.
How important is it for organizations to maintain a “single source of truth” in the context of security? What are the risks of failing to do so?
It’s essential for organizations to maintain a ’single source of truth’ in the context of security. By doing so, organizations can identify the various factors and workstreams their security team across business assets, processes, and new initiatives all the way up to corporate objectives that are fundamentally enabled by the security team (ie. access, availability, protection, and vetting of the extended enterprise and third parties). Additionally, a single source of truth gives organizations the ability to contextually understand points of entry and what threats look like both internally and externally.
The caveat to this is that not all efforts can be captured singularly. Organizations will be able to leverage a single source of truth for specific areas and supplementary capture other key factors. Failure to do so could lead to the risk of not knowing where to focus mitigation efforts, where risks lie or the aggregated concentration of a risk which could amount to a more significant level of exposure.
How can security teams integrate insights gained from other teams (privacy, vendor risk-management, etc.) into their own strategies?
Security teams can integrate insights gained from other teams (privacy, vendor risk-management, etc.) into their own strategies by focusing on bi-directional dependencies. Specifically, the privacy team works to ensure business data it is compliant with relevant privacy laws and regulations, but also relies on the security team to protect the data from being mishandled. As such, the security team is responsible for ensuring the confidentiality, integrity and availability of this data is seamless across privacy as well as security.
The same goes for vendor risk management (VRM) teams. VRM teams might be involved in the evaluation and review of a prospective vendor’s ethics and compliance practices from an anti-money laundering standpoint, but VRM and security teams must work together to confirm a vendor is secure from a SOC2 or ISO standard.
The information sharing across these commonly siloed domains bring new insights to the business. The insights you get here are context. It’s important to understand what the priorities of each team are in terms of what they’re doing, why they’re doing something, and how it rolls up to business objectives and resiliency plans.
What are the additional risk challenges faced by organizations operating across remote or hybrid environments?
If organizations learned anything over the past several years, it’s that they undoubtedly face different risk-related challenges by operating in a remote or hybrid environment in comparison to the traditional office setting. A few examples of these risks include the ability to access sensitive documentation and potentially do nefarious things, increased availability of under protected networks, a rise in shadow IT, and ongoing digital fatigue which can lead to exhaustion and mistakes. Combined, organizations must account for these various challenges and ensure the proper controls are in place to mitigate existing risks as well as the new adaptations of potential risks fueled by flexible working environments.
How can you mitigate the risk of insider threats while also building trust among your employees?
It’s not possible to mitigate the risk of insider threats, but organizations can reduce the risk.
To reduce the risk of insider threats, organizations must enact clear education to ensure that the management team and lines of busines understand security by design as well as the importance of upholding proper security practices as a cultural initiative.
By explaining the importance of security practices, only then can employees trust how and why something is being done. At the end of the day, this trust is transactional and goes both ways.
How can a strong risk management program help drive an organization’s growth?
A strong risk management program can help drive an organizations growth by highlighting a forecast of what will prevent the business from achieving key objectives and present business growth opportunities. With a weighted approach to balancing your risk posture, the risk team can truly enable the most efficient way to enable the broader business while protecting against negative impacts.
Growth is about taking risk, so by understanding where and what risks are, only then can an organization embrace risk and drive a culture where everyone recognizes that risk is their responsibility.