Organisations should embrace cyber security compliance to ensure they can effectively navigate the threat landscape.
Recently, I met up with an old friend
who’s a project manager for a small company in a highly regulated space. She told me of the trouble she's having
getting her team to take compliance reporting requirements seriously. Because the
company hasn't appointed a dedicated compliance manager, compliance responsibilities
have been dropped in her lap. They have introduced a technology that is garnering
a lot of attention in their field, so much so that they've been featured in
trade magazines as an industry-disrupter. The team features some truly
brilliant minds for whom this company represents the fruition of their life's
work. What she's struggling with is getting her colleagues to see that the
absence of a coherent body of controls, supported by verification and
enforcement mechanisms, can lead to an abrupt and ignominious end for their
company while also damaging their individual professional reputations.
Her problem is quite common.
Organisations of all sizes are constantly looking for ways to be lean, so
securing a Governance, Risk and Compliance (GRC) Lead is far down the list of
budgetary priorities for many. In fact compliance programs are often regarded
as a distraction, or even worse, a roadblock to innovation. Where such a dim
view is held of the GRC role, compliance responsibilities are assigned in an
ad-hoc manner with the directive from on high being to merely get the team ‘over
the line.’ Of course, to an untrained
eye, that line is hard to see. Then there's the matter of having the
appropriate skill set and professional acumen to
develop a strategy for getting across that line.
Rather than focusing merely on getting
across an imaginary line, the organisations that are positioning themselves
best for success over the long term are those that go above and beyond baseline
security requirements. These organisations embrace a firm security posture
because they want to establish in the minds of their clients and partners that
they can be trusted with their most vital data. Once their information security
practices achieve a high level of maturity, they don’t rest on their laurels. Instead
they apply the principle of continuous improvement so that their defensive
strategy evolves to adjust to the constantly changing threat landscape. By
taking such a firm stance on cyber security, these organisations are not only protecting
their critical data, they are protecting the organisation’s brand itself. This
forward thinking approach to cyber security also enables these organisations to meet newer, and more stringent,
regulatory requirements with only a few adjustments to their standard
operations.
In young, disruptive firms like my
friend's company, a GRC Lead's role is akin to that of an artist's manager,
where the artist is freed to focus on the art while the manager addresses
business matters. At her company, the GRC Lead must be capable of understanding
the company's business model, identifying the various risks that the company
faces, and building a control framework that aligns with business objectives
while addressing those risks.
In taking this approach to building the
company’s control framework, the GRC Lead increases the likelihood that the controls
are appropriate to the business. From there the GRC Lead must craft assurance
activities, such as evidence gathering and reporting, that can be generated in
as efficient a manner as possible. Coherent compliance processes are more
likely to be adopted by the people tasked with them, because they’re sensible
as opposed to appearing to be onerous and arbitrary bureaucratic exercises. Successful
GRC Leads create coherent compliance processes first by understanding control
objectives, clearly explaining these objectives to the team, leveraging
existing technologies to automate control activities (easing the burden on the
staff) and then streamlining the reporting cycle. The streamlined reporting cycle
affords decision makers the most up-to-date view into the organisation's cyber security
risk exposure. With these reports, the GRC Lead must present to the decision
makers concise, clear options for addressing these risks which explain their
business impact as well as any actions needed to reduce the risk. Level of
effort required to addressing a risk must be included in this explanation, so
business leadership can make sound investment decisions that are in-line with
their risk appetite. Beyond addressing current risks, the GRC Lead must keep an
eye on the road ahead to see what threats may be looming on the horizon. Does
this sound like a part time job?
It's not. Increasingly companies are
coming to this realisation. The evidence is all around us. Reputations are being
gutted by massive data breaches and poorly managed responses to them. Then
there’s the introduction of regulations with real teeth, such as GDPR, which can
take a huge bite out of a company's revenue. Leading organisations are
responding by taking a pro-active approach to cyber security. They’re
strengthening their security posture not because they see it as a necessary
evil, but because they recognize it as a competitive advantage that will enable
them to more effectively fight off the threats that could take down their
weaker rivals. Plus, in the long run, it’s far less expensive to make minor
adjustments to your operational practices in adhering to a new regulation than
to turn your organisation upside down with each roll out of a new regulatory
regime. For mature organisations, complying with new regulations may be as
simple as conducting a control mapping exercise, for immature organisations compliance
can require a major investment in resources as well as an enterprise wide
cultural shift. Furthermore, when driven by regulations, rather than by a
long-term strategy harmonious with business objectives, investments in
cyber security can be wasteful and not truly fit for purpose. So, the key is to
envision the strong, resilient posture you want for your organisation and work
towards that. With that in mind I'll be delivering a series of webinars on
practical steps in building up your organisation’s cyber security program.
However, please feel free to contact
me in the meantime so we can discuss firming things up at your organisation.