Some enterprises do not take a holistic approach to managing data and technology because they fail to make the connection between governance, risk management and compliance.

Doing more than the bare minimum to comply with the law is seen as financially irresponsible.

Lawyers often favor a compliance-focused approach to privacy and security. In turn, many enterprises still rely on compliance silos and checklists focusing on discrete sets of requirements. However, risk to the enterprise exists, even in the absence of legal requirements to undertake specific actions.

Governance, Risk Management Strategy Needed

Without an adequate governance and risk management strategy, threats actors can more easily exploit the privacy, confidentiality, integrity and availability weaknesses inherent in operations. Valuable data and technology are targeted by geopolitical rivals, organized crime and hacktivists for economic and political gain.

An enterprise’s valuable data is frequently possessed or controlled by third parties, such as service providers. The US Justice Department recognizes that law firms are among these vulnerable third parties trusted to handle valuable data. Security incidents and privacy breaches can create chaos and the impact to the enterprise can be significant.

Brand and reputation can be severely damaged, impairing the enterprise’s ability to conduct business. Intellectual capital, business plans, and financial resources can be stolen, resulting in a huge financial loss and impairing an enterprise’s ability to compete.

At Mossack Fonseca, a Panamanian law firm, a security incident exposed more than 11 million client documents to unauthorized access and disclosure. The revelations included embarrassing details about a complex web of legal and financial transactions undertaken for affluent and influential politicos. The Panama Papers was the impetus for political resignations – trust in the law firm and confidence in governments was shaken.

When trust is lost, relationships with shareholders, stakeholders, peers, customers and employees are stressed. The impact extends beyond the enterprise or its industry. In the United States, exploited vulnerabilities cost American enterprises billions of dollars and the American economy hundreds of thousands of jobs each year. Fewer jobs translate into less tax revenues, more deficit spending, more debt, and less infrastructure spending, handicapping a superpower.

The law is immature. Enterprises should turn to leading published perspectives for more timely and accurate guidance. Latent vulnerabilities are inherent in the business processes and technologies in all enterprises. Most jurisdictions do not have detailed legal regimes for the protection of data and technology assets. Legislators and regulators lack perspective and expertise. They are slow to act and, in some jurisdictions, legislators and regulators tend only to take action in extreme circumstances.

The laws, when developed, can employ inconsistent nomenclature and only address part of an issue, making it difficult for enterprises to rationalize and simplify requirements. The law is constantly involved in a game of catch up and it is losing. The compliance-focused approach leaves open the door for hacktivists, geopolitical competitors, and organized crime to alter the global political landscape and jeopardize economic and national security.

COBIT is Business-driven, Risk-based

A compliance-focused approach manages an enterprise’s risk of noncompliance (civil and criminal penalties), with varying degrees of success. Resist the urge to focus on compliance. Maturing governance and risk management helps to preserve the value of an enterprise’s assets.

The COBIT body of knowledge includes governance and risk management principles and processes. COBIT is business-driven and risk-based. Develop, implement, maintain, and mature governance and risk management processes and tools for your enterprise.

Make compliance among the considerations addressed in your governance and risk management strategy and include compliance among the enterprise’s key performance measurements. The benefits are many.

With COBIT, informed executives can establish business objectives that can be achieved within the executive-defined risk tolerance. Resources can be more efficiently allocated. Programs can be more effectively managed and communicated. The privacy and security programs’ successes and failures can also be meaningfully reported to key compliance stakeholders and regulators.

(About the author: Frank Cindrich is counsel and advisory for data protection and privacy, and a member of the ISACA. This post originally appeared on his ISACA blog, which can be viewed here.)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access