Probe Why Things Went Wrong

Risk management plans should not only measure risk, but also examine the impact of incidents where bad things happened, according to Optiv's Robinson. This diligence function should result in better management of each level of the risk management life cycle, Robinson said.

The diligence function should look for very specific controls—such as updated endpoint security on a laptop— and be able to articulate to the board and C-suite what the presence or absence of these controls means, Robinson said.

Explaining to nontechnical leaders why it's good to see certain controls in place is a form of process maturity in and of itself, Robinson said, and while it's driven by data and numbers, the functionality needs to go beyond just looking at the figures. Painting with broad brushstrokes makes it easier for leaders of an organization to understand what is and isn't working, according to Robinson.