Wednesday 25 July 2018

Cybersecurity: Invest Early to Protect Your Organization Long Term

Organisations should embrace cyber security compliance to ensure they can effectively navigate the threat landscape.

Recently, I met up with an old friend who’s a project manager for a small company in a highly regulated space. She told me of the trouble she's having getting her team to take compliance reporting requirements seriously. Because the company hasn't appointed a dedicated compliance manager, compliance responsibilities have been dropped in her lap. They have introduced a technology that is garnering a lot of attention in their field, so much so that they've been featured in trade magazines as an industry-disrupter. The team features some truly brilliant minds for whom this company represents the fruition of their life's work. What she's struggling with is getting her colleagues to see that the absence of a coherent body of controls, supported by verification and enforcement mechanisms, can lead to an abrupt and ignominious end for their company while also damaging their individual professional reputations.

Her problem is quite common. Organisations of all sizes are constantly looking for ways to be lean, so securing a Governance, Risk and Compliance (GRC) Lead is far down the list of budgetary priorities for many. In fact compliance programs are often regarded as a distraction, or even worse, a roadblock to innovation. Where such a dim view is held of the GRC role, compliance responsibilities are assigned in an ad-hoc manner with the directive from on high being to merely get the team ‘over the line.’  Of course, to an untrained eye, that line is hard to see. Then there's the matter of having the appropriate skill set and professional acumen to develop a strategy for getting across that line.

Rather than focusing merely on getting across an imaginary line, the organisations that are positioning themselves best for success over the long term are those that go above and beyond baseline security requirements. These organisations embrace a firm security posture because they want to establish in the minds of their clients and partners that they can be trusted with their most vital data. Once their information security practices achieve a high level of maturity, they don’t rest on their laurels. Instead they apply the principle of continuous improvement so that their defensive strategy evolves to adjust to the constantly changing threat landscape. By taking such a firm stance on cyber security, these organisations are not only protecting their critical data, they are protecting the organisation’s brand itself. This forward thinking approach to cyber security also enables these organisations to meet newer, and more stringent, regulatory requirements with only a few adjustments to their standard operations.

In young, disruptive firms like my friend's company, a GRC Lead's role is akin to that of an artist's manager, where the artist is freed to focus on the art while the manager addresses business matters. At her company, the GRC Lead must be capable of understanding the company's business model, identifying the various risks that the company faces, and building a control framework that aligns with business objectives while addressing those risks.

In taking this approach to building the company’s control framework, the GRC Lead increases the likelihood that the controls are appropriate to the business. From there the GRC Lead must craft assurance activities, such as evidence gathering and reporting, that can be generated in as efficient a manner as possible. Coherent compliance processes are more likely to be adopted by the people tasked with them, because they’re sensible as opposed to appearing to be onerous and arbitrary bureaucratic exercises. Successful GRC Leads create coherent compliance processes first by understanding control objectives, clearly explaining these objectives to the team, leveraging existing technologies to automate control activities (easing the burden on the staff) and then streamlining the reporting cycle. The streamlined reporting cycle affords decision makers the most up-to-date view into the organisation's cyber security risk exposure. With these reports, the GRC Lead must present to the decision makers concise, clear options for addressing these risks which explain their business impact as well as any actions needed to reduce the risk. Level of effort required to addressing a risk must be included in this explanation, so business leadership can make sound investment decisions that are in-line with their risk appetite. Beyond addressing current risks, the GRC Lead must keep an eye on the road ahead to see what threats may be looming on the horizon. Does this sound like a part time job?

It's not. Increasingly companies are coming to this realisation. The evidence is all around us. Reputations are being gutted by massive data breaches and poorly managed responses to them. Then there’s the introduction of regulations with real teeth, such as GDPR, which can take a huge bite out of a company's revenue. Leading organisations are responding by taking a pro-active approach to cyber security. They’re strengthening their security posture not because they see it as a necessary evil, but because they recognize it as a competitive advantage that will enable them to more effectively fight off the threats that could take down their weaker rivals. Plus, in the long run, it’s far less expensive to make minor adjustments to your operational practices in adhering to a new regulation than to turn your organisation upside down with each roll out of a new regulatory regime. For mature organisations, complying with new regulations may be as simple as conducting a control mapping exercise, for immature organisations compliance can require a major investment in resources as well as an enterprise wide cultural shift. Furthermore, when driven by regulations, rather than by a long-term strategy harmonious with business objectives, investments in cyber security can be wasteful and not truly fit for purpose. So, the key is to envision the strong, resilient posture you want for your organisation and work towards that. With that in mind I'll be delivering a series of webinars on practical steps in building up your organisation’s cyber security program.

However, please feel free to contact me in the meantime so we can discuss firming things up at your organisation.