Organisational boundaries are changing and the challenges to information security are being magnified with more departments within a business being affected by the adjustments. Organisations today cannot afford to function as isolated silos. Now is the time to embrace change and this includes opening themselves up to the vast, diverse and risky world of the web and its related technologies.

With the emergence of stronger and more widespread Cyber Security threats, business leaders cannot be in a wait-and-watch mode in cyberspace. The open nature of the internet gives worrying power to cybercriminals, and in turn, makes Cyber Security more than just a technical problem — it’s a business problem. The potential consequences of a cyber threat are huge, and that has placed Cyber Security fully onto the Board agenda.

By aligning security programs with business objectives, CISOs have an opportunity to ensure Cyber Security strategies and compliance go hand in hand.

Since compliance and risk management are so aligned, business leaders are implementing a governance, risk management and compliance (GRC) program to help improve their understanding of their information security posture among the three disciplines and ensure they are not conducted in silos.

 

Risk Management is vital to combat cyber threat

As the velocity, volume and sophistication of cyber-attacks grow, organisations, especially those that are tasked with safeguarding information relating to the general public, national security, health, or financial records, need to take informed, pragmatic and balanced steps to protect their sensitive, high impact business, and personally identifiable information (PII).

A good risk management program allows risk decisions to be well informed, well-considered and made in the context of organisational objectives and business strategy. Any information and Cyber Security risk management strategy should identify the critical assets that require protection, the threats the assets are exposed to and the level of controls that are in place as well as the additional controls required.  Management can then take a view of the risks across the whole company to make informed resource allocation. A robust GRC program helps identify risks early and therefore allows CISO’s to implement appropriate mitigations to prevent incidents before they occur.

With cyber risks continuing to grow in intensity and sophistication, making good risk management decisions really matters. Rushing through the decision-making process and saying “no” by default are not the right answers in 2020. A better approach is to implement a consistent risk management program that can be understood across the whole organisation. Cyber events will still happen to your organization, but it will be better prepared to deal with them.

 

Formal guidance helps focus Cyber Security strategies

This increased focus on Cyber Security is creating a pressing need for some formal guidance and well-defined regulations, which can help organisations implement their Cyber Security programs more effectively. The National Institute of Standards and Technology (NIST) Cyber Security framework is one example of guidance and structure. This framework is a good starting point for CISOs who want to define, adopt and refine an infrastructure for their own business needs while at the same time following industry standards.

Governance is essential to achieving the information security objectives of a business, not only for current needs, but also to ensure well thought out and maintained mitigation plans for the future.

An effective governance framework covers improvements to security policies, advice on technical controls, how to conduct audits and implement assessments. For future challenges, the governance framework must continually focus on emerging threat factors, fast-moving changes in cyberspace, people’s views, consumer pressures, hacker behaviour and even the changing workplace.

 

Compliance drives Cyber Security onto all department agendas

As security experts like to say, “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”
In the past, management seemed to think that Information and Cyber Security risk sat in the IT department – while the transformation is not complete there is a realisation that these types of risk extend to all business units, operational units, employees and key third parties. That is why the Compliance function is playing a vital role.

Compliance can play a pivotal role in a cross-functional approach to Cyber Security by embedding regulatory requirements into business operations and helping to connect the various functions across an organisation.
With a growing number of industry regulations requiring information and Cyber Security compliance, the compliance function needs to have the knowledge, skills and competence to design and implement policies, procedures and controls that meet these requirements.

Since cyber threat is an enterprise-wide risk and requires a cross-functional approach for management, compliance teams need to be empowered to ensure senior buy-in. It requires regular contact and seniority to engage effectively with the C-suite, Legal, HR and other functional and operational teams. Compliance can connect the dots across an organisation.

Now, more than ever, compliance must play an integral part in any organisation’s cross-functional Cyber Security program to make sure such efforts are enterprise-wide, consistent with regulatory requirements and embedded in how the company operates and its people conduct their work. Organisations will also need to be in a position to tell their story to stakeholders and customers, of continuous improvement through KPIs, metrics and demonstration of using best practices.