Governance, Risk and Compliance - Enacting Proactive Risk Management

Governance, Risk and Compliance - Enacting Proactive Risk Management

Tom Kellermann

Chief Cybersecurity Officer at Carbon Black

Views 536

Governance, Risk and Compliance - Enacting Proactive Risk Management

11.07.2019 11:45 am

In the highly regulated industries of finance, healthcare and energy, a focus on governance, risk and compliance (GRC) is crucial to effectively combat a cybersecurity breach. Unfortunately, when considering international data sharing, this can become overwhelmingly complex. In today’s evolving cyber landscape, it’s less about balancing governance, risk and compliance, and more about enacting proactive risk management as the main focus, with governance as an important element of that.

Typically, compliance is based on operational and regulatory risk management. Given the hostility of cyberspace and the rapidly evolving threat landscape, just being technically compliant is not enough. Organisations must also be more proactive in preventing risk in other areas -- reputational risk, for example. Reputational risk management, where there is no governing or compliance standard, is an organisation's worst nightmare. True reputational risk management is not just crisis communications post-breach, it is a part of proactive risk management that starts before you’ve been attacked, and before your impacted network can begin to attack your customers and partners.

Governance, as illustrated by the General Data Protection Regulation (GDPR), can’t slowly be rolled up, and it’s not solely about privacy, as privacy and Cybersecurity are interdependent. If balance is the ultimate goal, organisations should find it by empowering the CISO to be equal to or greater than the CIO. They must have their own resources, authorities, and reporting regime that allows them direct access to the company’s board. Moreover, the CISO and CIO need to be in close collaboration with regards to technology decisions and security implications so these two departments can successfully partner against security risks.  Yes, governance will always sit on top. It is the defensive-minded head coach that determines the culture of the team. But without at least equality between the CISO and the CIO, organisations are inviting significant risks as they roll out technologies and mobile apps, or outsource with specific companies, that haven’t been properly vetted from a cybersecurity risk perspective. 

Unfortunately, greater priority is always going to be given to traditional compliance, for two key reasons. First, most organisational structures place a CISO under the CIO -- whose priorities nearly always come first. These priorities typically put the organisation on the offensive, and include increasing access, efficiency, resiliency, and speed to support the growing needs of the business, all of which expand an organisation’s attack surface. With limited time and budget, and a rapidly changing technological landscape, this often leaves little left for a defensive strategy.

Second, CIOs are encouraged to maintain plausible deniability, where under legal precedent they cannot be criminally liable if a breach were to occur if they weren’t aware that a security gap existed. Unfortunately, this can lead to a tendency to avoid proactive penetration tests and hunt exercises. These would offer evidence that something has gone wrong, and that the CIO was aware of any backdoors or vulnerabilities within the company’s systems and didn’t take any action against them, increasing their personal liability.

With these challenges in mind, organisations can work to achieve a balance between risk management and compliance by taking the following actions:

  • Create a culture that is focused on privacy and that is underpinned by cybersecurity.
  • Empower the CISO and the defensive mindset so that it is equal to the authority and budget of the CIO.
  • Transition the conversation away from just IT, to a conversation around risk management and brand protection, while proactively conducting regular compromise assessments across the infrastructure and the company’s information supply chain. In the long run, it is all about the sustainability of the brand.

We can all agree that taking a strong stance on governance, risk and compliance is necessary to successfully mitigate a cyberattack. It’s how to approach them that needs serious consideration. By focusing on proactive risk management, organisations should reconsider the power governance has, how to effectively address risk, and what being compliant truly means for the CIO, CISO and the entire board.

Latest blogs

David Orme IDEX Biometrics ASA

From card issuers to retailers: how biometric smart cards benefit the entire payments ecosystem

With the roll-out of biometric fingerprint authentication smart cards, consumers will soon be able to make payments feeling more confident about the heightened security their new cards will offer. However, it’s not just consumers that stand to Read more »

Samuel Rosenberg, Varun Ratta, Chris McMillan, and Sarah Roesener Oliver Wyman

Navigating The Revenue Tech Universe

Boards Expect Near-Term Disruption From Emerging Technologies “Revenue Tech” refers to the plethora of technology application providers of analytics, insights, and decision-making support software aimed at fueling top-line and margin growth. At its Read more »

David Villaseca Oracle

Are Banks really responsible in a digital world? Challenges on United Nations

This week, we held a discussion on Responsible Banking on the 25th United Nations Climate Change Conference (COP25). It connected different experts from Bank of Spain, Santander, etc, with the coordination of CEU. Green and Responsible Banking Read more »

Steve Morgan Pegasystems

What Trends Will Shake Up the Banking Tech Sector in 2020?

In the past year, we’ve seen technology play a huge part in shaping the banking industry landscape, from emerging fintechs to new solutions facilitated by Open Banking to the latest AI tools. With such progression happening throughout the sector, we Read more »

Bas Lemmens Pivotal Software Inc

Agile holds the key to competition and growth in financial services

The pace of change in the financial services sector is such that traditional business models are no longer viable, and firms that have stood the test of time must adapt in order to survive. A recent Gartner report found that by 2030, 80% of heritage Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel