Does your organization regularly review and adjust cybersecurity risk strategies that may be impeding business operations or innovation?
Explanation
Balancing security with the freedom to operate and innovate is the concern, specifically whether you periodically revisit and adjust controls that may be holding the business back.
Security measures that are too restrictive can hinder productivity, slow innovation, or create workarounds that may introduce new vulnerabilities. Regular review ensures that security controls remain appropriate and proportional to the risks they address while supporting business goals.
Evidence could include documentation of periodic risk strategy reviews, meeting minutes from security and business leadership discussions, or change logs showing adjustments to security controls based on operational impact assessments.
Implementation Example
Examine whether cybersecurity risk strategies that impede operations or innovation should be adjusted
ID: GV.OV-01.059
Context
- Function
- GV: GOVERN
- Category
- GV.OV: Oversight
- Sub-Category
- Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
Related questions
- Has your organization established metrics to evaluate the effectiveness of risk management decisions in achieving business objectives?
- Has your organization reviewed recent audit findings to verify that your cybersecurity strategy effectively ensures compliance with both internal policies and external regulatory requirements?
- Does your organization regularly evaluate the performance of cybersecurity roles to identify necessary policy improvements?
- Does your organization have a formal process to review and update its cybersecurity strategy following security incidents?
- Does your organization regularly review key performance indicators (KPIs) to verify that security policies and procedures are achieving their intended objectives?
- Does your organization regularly review key risk indicators (KRIs) to identify, assess, and prioritize cybersecurity risks based on their likelihood and potential impact?

