Shifting compliance to effectively measure risk and balance GRC mandates
Historically, meeting governance, risk and compliance mandates were typically about ensuring businesses had solutions in place to gain compliance, thus reducing the risk or consequence of non-compliance from the regulators (fines and penalties associated with failing compliance).
Now, true cyber-risk needs to be measured differently. In order to survive progressively new audits, GRC programs need to focus on proving that solutions are in place as safeguards to protect data. GRC mandates are shifting in this direction, but sometimes behind the pace of cybersecurity.
The Evolution of GRC
The signal-to-noise ratio of our mixed compliance and cybersecurity industry has caused overwhelming complexity. From a data security and risk perspective, balancing governance, risk and compliance regulations will continue to be a priority, ultimately growing in importance in the future.
New mandates are introduced and re-defined at an exponential pace in jurisdictions all over the world in an effort to keep pace with the steady increase in data exploits. According to a recent survey, these have been particularly intense within the retail, finance, and healthcare industries.
As we move forward, the shift to merge security controls with compliance requirements needs to happen faster, so that compliance requirements can enable the reduction of risk -- and clarity of that risk -- from the top to the bottom of the enterprise (from the board to the security analyst).
Over the past few years, almost all privacy mandates and regulatory compliance requirements have included cybersecurity technical provisions, put in place to help focus on ensuring and proving the necessary enforceable security safeguards. Everyone within the organization shares the responsibility and liability to prove safeguards are in place and measured effectively.
If organizations are willing to invest the effort in measuring their compliance requirements against a common security frameworks, (NIST CSF, CIS CSC, or even PCI DSS), this can offer a unique way to automate the process of aligning their critical assets and data closer to compliance and security risk.
By understanding risk at the control level, it helps to prioritize where actual effort needs to be applied to facilitate meeting individual compliance requirements. If businesses simply attempt to check through GRC requirements, their efforts may skew away from the intention or spirit of the compliance mandate and work against each other.
The Challenges Ahead
Within the recent threat-scape, this happens to be one of the biggest strains to a business - the tendency to perform “check-box” compliance rather than focusing on measuring risk. To overcome this obstacle, businesses should align these data privacy requirements back to the actual controls that are in place to protect the data that provides a better picture of their regulatory and risk posture. This helps quickly demonstrate both success in meeting compliance mandates and fulfilling mandatory and enforceable security protection.
One of the biggest challenges to balancing GRC is the sheer multitude of industry regulations that any one company is affected by, and that they must comply with. Take any highly targeted industry, such as the financial sector. Financial services organizations will be dealing with data privacy and cybersecurity mandates from the FTC, SOX/GLBA, PCI DSS, CCPA, NYSDFS, etc.
The trick for these companies is going to be finding common ground amongst the barrage of data security and cyber-regulatory mandates. Using a cybersecurity framework is one good way to help match up individual requirements with the security controls that need to be in place to prove data security. The frameworks can then be applied across multiple GRC requirements to answer the questions that the business will have to provide either during an audit or in the wake of an incident.
Taking a Progressive Stance
There are many regulatory efforts in the works to help businesses align better to measure risk by zoning on security controls. The PCI SSC and the evolution of their standards has helped to accelerate the shift towards security control measurement and how to prescriptively apply such measurement against data regulatory requirements.
It has been notable that the PCI SSC has made a positive shift towards using requirements to ensure that security controls can be proven rather than simply in place, that is, controls that support data protection need to be proven effective during audit rather than providing a check in the box.
I have found that the PCI counsel has increasingly taken a progressive stance in helping businesses become more proactive in measuring security controls rather than passively check them off. The data security standard itself has taken a positive move towards shifting compliance in the standard to include proof that security controls are not only in place, but active, and effective with evidence that those controls are enforceable.
Demonstrating efforts towards better data security risk measurement and control, recent advancements by the PCI Security Standards Council include the development of the PCI Software Security Framework and the PCI Secure Software Standard.
The new measures described by PCI include the “validation and listing programs for the secure design, development and maintenance of modern payment software.” The new changes also include a better focus on security practices that encompass application security and security application development.
Both measures will help align with development and design methods that help to provide a more consistent measure of risk to data, since they help to expose gaps in security that can lead to vulnerability in payment applications. This is a good step in helping businesses key into their data risk priorities faster, and reduce the noise within the number of GRC mandates they must comply with.
Compliance doesn’t always equal security, but proactive measures and effective proof of cyber-compliance controls offers the security to know you are continuously safe from cyber-threats. Preparing for the next cyberattack will never be easy, but it must be a focus for all organizations - before it's too late. Take the steps necessary to successfully balance GRC mandates, and measure risk effectively.