Don’t leave without this quick checklist
- Name an owner. Treat good technology risk as both a project and ongoing BAU. Assign someone with dedicated responsibility and an accountable executive sponsor.
- Launch with fanfare. Communicate to create excitement, recognise participation and set the tone from the top.
- Know your estate. Understand what services, tools, suppliers and teams are critical to your product. Those should get most of your attention. Track them somewhere central to your operations and assign an owner responsible for keeping it up to date.
- Learn from your stakeholders. Have a way to identify and track what your stakeholders want - customers, investors, regulators and partners will need to know that you are keeping them safe.
- Know what good looks like. Establish your top controls and critical benchmarks, stay focused on those targets, and track and communicate progress against them.
- Tell the story. Use data and narrative to explain benefits and show progress. Don’t be afraid to tell your Board what you’ll get to, when, and what you can’t achieve with current resources. It’s their job to understand and challenge those tradeoffs.
Lastly, Kasey recommends
- Data Contracts, by Andrew Jones
- Inavate UK’s ISO audit and consultancy services
- A tool that can track shadow IT, like Torii
- A tool that can keep track of your inventory
- Data mapping: Transcend (also a great overall privacy management tool, especially if you’re struggling with DSARs)
- Service catalogue: Backstage
- A tool for keeping track of control frameworks (GRC - “Governance, Risk & Compliance”), like Hyperproof or Anecdotes
- A tool for response libraries, customer due diligence and RFP management, like RFPio
- An email security tool to prevent data loss and phishing, like Tessian
- Slack-integrated incident management from Incident.io