Businesses operate in an ever changing and evolving global environment where nothing should be taken for granted. Nobody could ever imagine what the year 2020 was about to bring – where something as a small virus became the most disruptive event modern humanity has witnessed.

The nature of organizations is to evolve and adapt to changes and the risks associated with these changes. Evolution and adaptation are crucial features of every living organization, otherwise they become obsolete and disappear. So did businesses, small and big, in response to the challenges brought by the pandemic. They adapted their strategies overnight and adopted remote work schemes to comply with social distancing and other public health measures to contain the virus.

To implement these strategies, organizations embraced digital transformation at an increased pace. Satya Nadella, CEO at Microsoft, said in April 2020 that “We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning to sales and customer service, and critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything.”

Businesses migrated to the cloud, deployed a multitude of cloud platforms, moved almost all their data in the cloud, and employed containerized services not only to survive change but to thrive in this challenging environment. All these technological advancements brought many benefits, but equally created novel vulnerabilities and risks. The cybersecurity landscape changed together with the technological one.

Cybersecurity risks have “escaped” from the siloed and protected environment of IT departments and have become business risks. In fact, the World Economic Forum 2021 Global Risks Report has ranked cybersecurity failure as the 4th short term risk for doing business. Cyber risks are now business risks and require a holistic approach to managing them.

“Our job is not to make a business safe but to make it as safe as it chooses to be. We are no different from car mechanics. They must create cars as fast and safe as their car industry chooses,” stresses Christos Syngelakis, CISO at Motor Oil, the biggest oil and refinery industry in Greece.

This is where the role of a Certified in Governance, Risk and Compliance (CGRC) becomes incredibly important. Their role is to lead and navigate their business through the risk management challenges.

As Taylor Newman comments, “The biggest benefit of having achieved the CGRC credential is the use of knowledge and skills within risk management. This has allowed me to mold my team’s current way of pursuing risk assessments…”

Business leaders everywhere, at institutions of all sizes and in all industries, are searching for the optimal means to improve cyber resilience. The best way to do that is to advance a “risk based” approach to cybersecurity.

As Hunter Sekara remarks, “One of the greatest benefits of achieving the CGRC credential is that it helped me influence and shape a risk-based security culture. Shifting the mindset of leadership from compliance-based security, to risk-based security, has been one of the most significant challenges of my career, yet the most rewarding.”

By identifying and focusing on the elements of cyber risk, organizations can decrease the overall enterprise risk. Therefore, understanding and prioritizing the many components of cyber risk is essential for fostering the enterprise cybersecurity efforts.

Failure to do so will have severe consequences. Attackers benefit from organizational indecision on cyber risk and the costs of a single cyber-attack can become devastating. However, an approach to “build everything everywhere” and “monitor everything” to address ALL risks is a wishful thinking and a utopia that leads to cyber fatigue.

What is required is for the CGRC professional to become an enabler of change by proposing ways to safeguard the organization. A risk-based approach can benefit their organization in many ways by designating risk reduction as the primary goal and enabling the organization to prioritize investment based on a cyber program’s effectiveness in reducing risk. Risk-reduction targets become measurable, realistic implementation programs with clear alignment from the board to the front line.