Governance, Risk and Compliance: How IT departments can put IT Security on the corporate agenda?

Cyber Security on corporate agenda

A string of major companies is learning it the hard way these years; dealing with Cyber Security is not a simple matter. Indeed, it is as much about corporate strategy, culture and management, as it is about Information Security. So how does an IT department go about dealing with information security?

For most IT professionals, the default approach to Information Security is to deal with it as any other technical challenge. While this might have worked years ago, the number and complexity of today’s threats calls for a much bigger perspective.

Because securing information in any type of company takes a coherent effort from management and all other parts of the organisation. It requires – among other things – new processes, new rules and a strong internal culture. Technology alone can’t safeguard a company; a holistic approach is needed.

Some IT manager might get away with leaving it to top management to lead the way. More often though, a bit of proactiveness is required of today’s CIO or Network Manager.

But how do IT people help management realise the Cyber Information Security challenges the company is facing? And how do they establish a framework to deal with Information security on a strategic level, where it belongs?

At Conscia, we have helped a number of CIOs and Network Managers answer these questions. The companies have rolled out initiatives that have strengthened Information security and even yielded several business benefits in the form of greater efficiency, more cost-effective processes and more.

At the core of these initiatives sits three letters: GRC.

Link between GRC and Prevention, Detection, Response

Behind the letters GRC are the words Governance, Risk and Compliance. Introduced in 2003, It was originally developed as a paradigm to better balance needs and demands with economical resources when new organizational and technical measures where to be taken. As opposed to a narrow process and system focus, it outlines a 360-degree approach.

Applied to Information security, GRC offers a method for setting overall organizational goals for success and handling risks. Instead of approaching Information security from an IT point of view, GRC is rooted in corporate strategy. This opens for a number of areas of applications for the method, for instance GRC can help meeting GDPR demands.

If this is not enough to convince top management to buy into a 360-degree Information security effort, offering a shortlist of some of the major security breaches at large corporations from resent years, should do the trick. Sony, Hoya Japan, A.P. Møller-Mærsk, Travelex and many others all suffered huge losses in the form of data, disruption of operations, loss of orders, damage to reputation and so on.

As opposed to earlier years where cyber-attacks were kept secret by the attacked corporations, news of these recent breaches has reached the mainstream media, highlighting the very real threats and consequences, companies may face if they aren’t properly prepared.

But while we all know of these cyber-attacks, we’re rarely told exactly how the attackers managed to succeed – nor do the public hear details of what might have been done to prevent the breaches.

In any case, focusing solely on the prevention of cyber-attacks is a flawed strategy. The threats to Information security are constantly evolving, making it all but impossible to stay 100 % safe. A sound Cyber Security strategy cannot focus solely on preventing attacks.

At Conscia, we believe that IT Security should be built on three overall levels: Prevention, Detection and Response.

The trick is to find the exact right mix of the three – to continuously balance the levels, so that they best complement each other and form the needed security level for every part of the organization. This work has to be based on a strategic groundwork, and this is where GRC enters the picture.