Governance, Risk and Compliance: How IT departments can put IT Security on the corporate agenda? (Part 2)

Cyber Security on corporate agenda

A string of major companies is learning it the hard way these years; dealing with Cyber Security is not a simple matter. Indeed, it is as much about corporate strategy, culture and management, as it is about Information Security. So how does an IT department go about dealing with information security?

In part 1 of this feature, I introduced the GRC concept and discussed the attainable business benefits. In the following I will touch upon the three elements of GRC and how they can help establish an effective cyber security program in your organisation.

I’ll start with the R in order to associate GRC with similar issues from a daily perspective. Cyber security risks may involve many technical aspects but allow me to compare the essence of security with driving a car.

Risk

When driving a car, we all unknowingly create our own real-time risk map by constantly collecting information, with the primary sources of information being our view of the road and our dashboard.

This “traffic picture” we’re facing is continuously evolving, with new, silent electrically powered means of transportation, pedestrians with headphones or cyclist with their attention directed at their smartphones. The list also includes AI powered vehicles navigating with their own algorithm-based logic.

In the context of GRC, “Risk” means in simple terms just to be constantly knowing the whole risk map your company is facing. Is your organization’s information handled in a way, so that it won’t risk harming the car (company), the passengers (staff), surroundings (stakeholders) or the driver (management)?

You might ask yourself, if you’d want to take a ride in a car, if A) the car did not seem safe and/or B) the driver was driving recklessly and/or C) the road was slippery. My guess is, you’d probably decline.

In much the same way, you might ask yourself if your company’s customers would feel inclined to keep coming back if they can’t find out exactly which container is carrying their goods. Or if one of your sub-contractors is discovered to have leaked (your) customer data.

The impact to a company’s reputation is far from trivial, because no matter how fast and effective the cyberattack was mitigated, the one thing that will be remembered is that the company was the breached.

Governance

Let’s take a look at the G – Governance – and let’s jump back into the car.

If you choose to turn up at the starting line at the Paris-Dakar rally in a city car, you shouldn’t expect to win the race, even if all your competitors were to crash out of it, since a city car cannot cross the desert sand and reach the finish line. If your everyday way of driving involves taking risk after risk at the edge of your company’s capability, you should probably set money aside to be able to pay a fine or two. Or if it looks like rain, it might be wise to take a pit stop to have your formula one car fitted with rain tires.

In other words, it’s always good to get the expectations right and to act accordingly. A company needs to assess its risk map, in order to make Cyber Security decisions on an informed basis. Because, the IT setup should guard the company against threats without limiting the business in taking calculated risks that can increase company revenue.

This is where Governance enters the picture.

Governance is used to find the right IT setup. One that gives the company the best possible starting point for realising the management’s goals, while securing the needed level of Security. It’s about having just the right, flexible and agile mix of security measures based on a risk map and the company’s economy, strategic goals, reputation and culture. Perhaps needless to say, this entails a deep knowledge of the organisation’s values and goals.

To put this into more specific terms: If, for example, a company’s information security budget is fixed on a low level, it will take longer to fix weaknesses, and the company must make smart decisions accordingly. For instance, it might be smart to decide that end users cannot be local administrators. This could serve as a solution until funds are found to implement a more permanent solution on how to manage privileged access safely.

Because, accepting local administrators means accepting the risk crypto malware cannot be stopped. And if company rules for outgoing traffic is lax, the hacker could not be stopped from sending traffic out of the organisation, once he has succeeded in gaining access via a phishing mail.

On the other hand, if it isn’t possible or advantageous for the company to withdraw end users’ administrative roles and limit outbound traffic, then there’s other ways to protect the company. They might choose to monitor unnatural data traffic or processes that indicate suspicious activity or other alternative mitigations should be considered.

This entails whole new decisions, such as buying the right monitoring services versus hiring your own staff and so on. Each of these decisions should be rooted in the same comprehensive governance plan.

Compliance

Finally, let’s get back into the car for a few words on Compliance.

The ultimate goal seen from a compliance perspective, is to reach a state where the company is run in the most engaged and responsible way possible, one where the entire staff corporates in minimizing mistakes. In other words, one where every driver in every car at all times drives with due care and acts with conduit in resolving traffic issues.

This ideal set of conditions is hard to reach to say the least. Control, systems, check lists, procedures, processes and goals only work if the organisation is committed and share a common sense of responsibility.

Just ask supermarkets, where stories about old foods on the shelves repeatedly find their way to the media, despite of the implementation of new control systems as well as public apologies and promises from top management. Or ask Facebook or Google, whose violation of data protection laws have cost the companies massive fines.

Compliance can help companies avoid fines and protect their reputation by altering habits and creating commitment among staff to always do the right thing. In relation to information security, compliance programs should – apart from setting formal guidelines – also be an inspiring, constructive and coaching experience for employees.

Because, good compliance is when compliance reaches a level where it’s about making the company better by anchoring responsibility and engagement in the daily processes. With today’s Information security threats in mind, this aspect is vital for withholding a sufficient level of cyber security.