How to Write a Charter for a Cyber Risk Management Project

July 23, 2020  Raymond Patterson

At RiskLens, we encourage our new clients to develop a charter to guide everyone through the process of acquiring the RiskLens cybersecurity risk management platform and the engagement with the RiskLens Services team to establish a quantitative risk management program. Here is a sample charter for a RiskLens cybersecurity software project and a guide on how to write your charter, to meet the needs of the economic buyer (EB) making the purchase decision.

What is an EB charter for a cybersecurity solution purchase?

An economic buyer charter is a simple statement that serves many purposes. Often, when an organization purchases software, it focuses on getting through the purchase negotiation and finishing the deal versus thinking about what’s next once the deal is done.

The EB charter solves this problem. The charter addresses matters such as:

  • The reason the organization is buying the software
  • The “jobs to be done” to implement the software
  • The urgency and timeline that the EB expects his or her team (and the vendor) to rally around
  • The communication cadence for the team and the vendor
  • The types of issues that the EB wants escalated right away.

When is the right time to do a charter?

Ideally, a charter is established during the selling/purchase process. This is important so that once the transaction closes, the EB’s team and that of the software vendor can hit the ground running with an already memorialized outline of what they are supposed to do with the software and by when. Doing the charter at this point keeps the momentum moving and helps the customer and the software vendor to start organizing for execution.

How practically do software charters get used?

They serve as an awesome tool during status reviews between the software vendor and the customer to ensure that progress is being made in line with expectations. Further, the charter also dramatically helps to shine the light on that notion of Value – what does the EB consider value from the software and the vendor’s consulting services? Using the charter to distill that value target will keep everyone aligned on that goal.

So, what does a good charter look like for an economic buyer of cybersecurity software?

A really good charter is first and foremost a written thing. It’s not something casually created nor is it something to be kept a secret. It needs to be in a form to rally the respective teams on what to do. The charter should address as mentioned the: jobs to be done (the why the customer purchased as specifically as possible), the expectation of timelines of attaining value, the communication cadence for the customer and software vendor and finally the escalation criteria for issues to get raised to the EB. These are basically the minimum criteria – charters can (and often do) stretch beyond that.

Here’s a real world example of a charter from a RiskLens client (name redacted to protect the innocent):

  • We are implementing a Cyber Risk Quantification Program across all of the company globally in partnership with RiskLens.
  • The cornerstone of our program is the RiskLens platform, which has been purpose-built on the FAIR risk model enabling explicit cyber risk quantification.
  • This program is a key component of the Security Risk Management initiative, which is one of the top global security initiatives with progress reported weekly to the Executive Board.
  • Speed of execution over the next 8-12 months is critical.
  • Accountability for success resides equally with both organizations.
  • At a minimum, we want to see RiskLens results focused on helping to recommend the prioritization of security investments using risk quantification as the basis.
  • Should you encounter any roadblocks or challenges that would endanger our committed timelines, please escalate them to me (the EB) immediately and without delay.

Let RiskLens help you craft a cybersecurity software charter for an economic buyer. Contact Us

Learn more about the value of the RiskLens platform and our consulting process:

Risk-Based Cost-Reduction Capability

Rapid Risk Assessment Capability