Governance, Risk and Compliance: Enacting Proactive Risk Management

Tom Kellermann

Tom Kellermann

In the highly regulated industries of finance, healthcare and energy, a focus on governance, risk and compliance (GRC) is crucial to effectively combat a cyber security breach. Unfortunately, when considering international data sharing, this can become overwhelmingly complex, writes Tom Kellermann. In today’s evolving cyber landscape, it’s less about balancing GRC and more about enacting proactive risk management as the main focus, with governance as an important element of that.

Typically, compliance is based on operational and regulatory risk management. Given the hostility of cyber space and the rapidly evolving threat landscape, just being technically compliant isn’t enough. Organisations must also be more proactive in preventing risk in other areas (such as reputational risk, for example). Reputational risk management, where there’s no governing or compliance standard, is an organisation’s worst nightmare. True reputational risk management isn’t just about crisis communications post-breach. Rather, it’s a part of proactive risk management that starts before you’ve been attacked, and before your impacted network can begin to attack your customers and partners.

Governance, as illustrated by the General Data Protection Regulation (GDPR), cannot slowly be rolled up, and it’s not solely about privacy as privacy and cyber security are interdependent. If balance is the ultimate goal, organisations should find it by empowering the CISO to be equal to or greater than the CIO. They must have their own resources, authorities and reporting regime that allows them direct access to the company’s Board.

Moreover, the CISO and CIO need to be in close collaboration with regards to technology decisions and security implications so these two departments can successfully partner against security risks. Yes, governance will always sit on top. It’s the defensive-minded head coach that determines the culture of the team, but without at least equality between the CISO and the CIO, organisations are inviting significant risks as they roll out technologies and mobile apps, or outsource with specific companies that haven’t been properly vetted from a cyber security risk perspective.

Priority for traditional compliance 

Unfortunately, greater priority is always going to be given to traditional compliance for two key reasons. First, most organisational structures place a CISO under the CIO whose priorities nearly always come first. These priorities typically put the organisation on the offensive and include increasing access, efficiency, resiliency and speed to support the growing needs of the business, all of which expand an organisation’s attack surface. With limited time and budget and a rapidly changing technological landscape, this often leaves little left for a defensive strategy.

Second, CIOs are encouraged to maintain plausible deniability, where under legal precedent they cannot be criminally liable if a breach were to occur if they weren’t aware that a security gap existed. Unfortunately, this can lead to a tendency to avoid proactive penetration tests and threat hunting exercises. These would offer evidence that something has gone wrong, and that the CIO was aware of any back doors or vulnerabilities within the company’s systems and didn’t take any action against them, increasing their personal liability.

With these challenges in mind, organisations can work to achieve a balance between risk management and compliance by taking the following actions:

*Create a culture that’s focused on privacy and underpinned by cyber security

*Empower the CISO and the defensive mindset so that it’s equal to the authority and budget of the CIO

*Transition the conversation away from just IT to one around risk management and brand protection, while proactively conducting regular compromise assessments across the infrastructure and the company’s information supply chain. In the long run, it’s all about the sustainability of the brand.

We can all agree that taking a strong stance on GRC is necessary to successfully mitigate a cyber attack. It’s how to approach them that needs serious consideration. By focusing on proactive risk management, organisations should reconsider the power governance has, how to effectively address risk and what being compliant truly means for the CIO, the CISO and the entire Board of Directors.

Tom Kellermann is Chief Cyber Security Officer for Carbon Black

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts