Governance, risk and compliance - Enacting proactive risk management
In the highly regulated industries of finance, healthcare and energy, effectively managing a governance, risk and compliance program is crucial to containing a cybersecurity breach, especially when international data sharing is involved.
The key is to prioritize proactive risk management, in order to be more than just compliant with security policies and to change how cybersecurity practices are governed within an organization.
Moving Beyond Compliance
Typically, today’s compliance efforts are based off of a combination of operational risk management and regulatory risk management. But given the hostility of cyberspace and the rapidly evolving threat landscape, simply being compliant is not enough. Organizations must also be proactive in preventing risk in other areas, for example, reputational risk for which there is no governing or compliance standard.
True reputational risk management is an organization's worst nightmare. It‘s not just crisis communication post-breach. It is a part of a proactive approach to risk management that starts before you’ve been attacked, and before your impacted network can begin to attack your customers and partners.
Establishing the Hierarchy of Cybersecurity Governance
Organizations must work to empower the CISO, by equipping them with their own resources, authorities, and reporting regime that allows them direct access to the company’s board. Moreover, the CISO and CIO need to be in close collaboration with regards to technology decisions and security implications where these two departments can successfully partner against security risks.
Without at least equality between the CISO and the CIO, organizations are inviting significant risks as the CIO continues to roll out technologies and mobile apps, or outsource with specific companies that haven’t been properly vetted by the CISO from a cybersecurity risk perspective.
Unfortunately, greater priority is always going to be given to the advancement and growth of the company despite cybersecurity concerns for two key reasons.
First, most organizational structures place a CISO under the CIO - whose priorities nearly always come first. These priorities typically put the organization on the offensive, and include increasing access, efficiency, resiliency, and speed to support the growing needs of the business, all of which expand an organization’s attack surface. With limited time and budget, and a rapidly changing technological landscape, this often leaves little left for a defensive strategy.
Second, CIOs are encouraged to maintain plausible deniability, where under legal precedent they cannot be criminally liable if a breach were to occur if they weren’t aware that a security gap existed. Unfortunately, this means avoiding proactive penetration tests and hunt exercises. These would offer evidence that something has gone wrong, and that the CIO was aware of any backdoors or vulnerabilities within the company’s systems and didn’t take any action against them.
Proactive Risk Management for the Win
With these challenges around governance and compliance in mind, organizations can work to overcome them by enacting proactive risk management which involves taking the following actions:
- Create a culture that is focused on privacy that is underpinned by cybersecurity.
- Empower the CISO and the defensive mindset that is equal to the authority and budget of the CIO.
- Transition the conversation away from just IT, to a conversation around risk management and brand protection, while proactively conducting regular compromise assessments across the infrastructure and the company’s information supply chain. In the long run, it is all about the sustainability of the brand.
We can all agree that taking a strong stance on governance, risk and compliance is necessary to successfully mitigate a cyberattack. It’s how to approach them that needs serious consideration.
By focusing on proactive risk management, organizations should reconsider the power governance has, how to effectively address risk, and what being compliant truly means for the CIO, CISO and the entire board.