Shifting Compliance to Effectively Measure Risk: Balancing GRC Mandates

Historically, meeting governance, risk and compliance (GRC) mandates was typically all about ensuring businesses had solutions in place to gain compliance, thus reducing the risk or consequences of non-compliance from the regulators (ie fines and penalties associated with failing compliance), observes Christopher Strand. Now, true cyber risk needs to be measured differently. In order to survive progressively new audits, GRC programmes need to focus on proving that solutions are in place as safeguards to protect data. GRC mandates are shifting in this direction, but sometimes behind the pace of cyber security.

Recent regulatory action by the UK’s Information Commissioner’s Office against British Airways and Marriott International for infringements of the General Data Protection Regulation, followed swiftly by a proposed fine of $5 billion for Facebook courtesy of the US Federal Trade Commission, demonstrates that companies are being held accountable for protecting personal information as regulators pay close attention to organisations’ due diligence regarding privacy practices.

The signal-to-noise ratio of our mixed compliance and cyber security industry has caused overwhelming complexity. From a data security and risk perspective, balancing GRC regulations will continue to be a priority, ultimately growing in importance in the future. New mandates are introduced and re-defined at an exponential pace in jurisdictions all over the world in an effort to keep pace with the steady increase in data exploits. According to a recent survey, these have been particularly intense within the retail, finance and healthcare industries.

As we move forward, the shift to merge security controls with compliance requirements needs to happen faster such that compliance requirements can enable the reduction of risk – and clarity of that risk – from the top to the bottom of the enterprise (ie from the Board to the security analyst). Over the past few years, almost all privacy mandates and regulatory compliance requirements have included cyber security technical provisions, put in place to help focus on ensuring and proving the necessary enforceable security safeguards. Everyone within the organisation shares the responsibility and liability to prove safeguards are in place and, importantly, measured effectively.

If organisations are willing to invest the effort in measuring their compliance requirements against a common security frameworks, (NIST CSF, CIS CSC or even PCI DSS), this can offer a unique way in which to automate the process of aligning their critical assets and data closer to compliance and security risk. By understanding risk at the control level, it helps to prioritise where actual effort needs to be applied in order to facilitate meeting individual compliance requirements. If businesses simply attempt to check through GRC requirements, their efforts may skew away from the intention or spirit of the compliance mandate and work against each other.

Challenges ahead

Within the recent ‘threatscape’, this happens to be one of the biggest strains to a business – the tendency to perform ‘check-box’ compliance rather than focusing on measuring risk. To overcome this obstacle, businesses should align these data privacy requirements back to the actual controls that are in place to protect the data that provides a better picture of their regulatory and risk posture. This helps to quickly demonstrate both success in meeting compliance mandates and fulfilling mandatory and enforceable security protection.

One of the biggest challenges to balancing GRC is the sheer multitude of industry regulations that any one company is affected by, and with which they must comply. Take any highly targeted industry. For example,  the financial sector. Professionals within will be dealing with data privacy and cyber security mandates. The trick for these companies is going to be finding common ground among the barrage of data security and cyber-regulatory mandates. Using a cyber security framework is one good way to help match up individual requirements with the security controls that need to be in place to prove data security. The frameworks can then be applied across multiple GRC requirements to answer the questions that the business will have to provide either during an audit or in the wake of an incident.

Taking a progressive stance

There are many regulatory efforts in the works to help businesses align better to measure risk by zoning on security controls. The PCI Security Standards Council (PCI SSC) and the evolution of their standards has helped to accelerate the shift towards security control measurement and how to prescriptively apply such measurement against data regulatory requirements.  It has been notable that the PCI SSC has made a positive shift towards using requirements to ensure that security controls can be proven rather than simply put in place. That is, controls that support data protection need to be proven effective during audit rather than providing a check in the box.

I’ve found that the PCI’s leadership has increasingly taken a progressive stance in helping businesses become more proactive in measuring security controls rather than passively checking them off.  The data security standard itself has taken a positive move towards shifting compliance in the standard to include proof that security controls are not only in place, but active, and effective with evidence that those controls are enforceable.

Christopher Strand

Christopher Strand

Demonstrating efforts towards better data security risk measurement and control, recent advancements by the PCI SSC includes the development of the PCI Software Security Framework and the PCI Secure Software Standard. The new measures described by the PCI include the “validation and listing programmes for the secure design, development and maintenance of modern payment software”.

The new changes also include a better focus on security practices that encompass application security and security application development. Both measures will help align with development and design methods that help to provide a more consistent measure of risk to data since they help to expose gaps in security that can lead to vulnerability in payment applications. This is a good step forward in helping businesses key into their data risk priorities on a faster footing and reduce the noise within the number of GRC mandates with which they must comply.

Compliance doesn’t always equal security, but proactive measures and effective proof of cyber-compliance controls offers the security to know you’re continuously safe from cyber threats. Preparing for the next cyber attack will never be easy, but it must be a focus for all organisations before it’s too late.

Take the steps necessary to successfully balance GRC mandates and measure risk effectively.

Christopher Strand is Head of Cyber Compliance Strategy for Carbon Black

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts