Cybersecurity and GRC

?Now more than ever, businesses function in remarkable digital spaces, and the rules have changed. Cybersecurity has become so important these days that the SEC is about to force Chief Information Security Officers (CISO) into America’s boardrooms . Cybersecurity, Governance, Risk, Compliance all mostly fall under the CISO’s purview.

Nowadays, governance and compliance not only apply to highly regulated sectors but has become increasingly critical in cybersecurity programs for young and established entities.

The rapid regulation changes and tech advancements have blurred the line between cybersecurity and compliance, and most organizations feel like moving targets. One of the key concerns is implementing comprehensive security programs while still maintaining compliance obligations.

In this post, I’ll give an overview of GRC (governance, risk, and compliance) as well as discuss how governance, risk and compliance are all related in the context of cybersecurity. I’ll also shed some light on the most common regulatory compliance frameworks out there.

What is Cybersecurity?

Cybersecurity does not have a beginning or an end. Cybersecurity (or IT security in some cases) is an ongoing process of protecting an organization’s digital assets.

It’s an ongoing chess match between ethical businesspeople and online criminals. Organizations develop strategies to insulate a network’s digital assets from prying eyes and theft. Hackers work tirelessly to breach organization’s defenses. And for each insidious technique or tool cybercriminals deploy, cybersecurity professionals adapt and make a countermove.

The purpose of responsible cybersecurity is to prevent and deter threats. In an earlier post , I had written about security frameworks such as zero trust and what does it mean to organizations.

What is GRC?

Governance, Risk, and Compliance (GRC) — is one of the most important elements any organization must put in place to achieve its strategic objectives and meet the needs of stakeholders. In today’s age of countless cybersecurity threats, this is almost becoming an essential component for any organization.

• Governance: The ability to align processes and actions with long-term business goals.
• Risk: Identifying a company’s present and potential vulnerabilities.
• Compliance: Meeting the regulatory requirements to operate in an economic landscape.

Governance

Governance entails aligning organizational activities (like IT functions or training) to support and advance an organization’s objectives. The process typically involves the organization’s leading decision-makers like high-level executives and board members. It defines and enforces corporate disclosure, board composition, and executive compensation.

Governance determines how executives collect information, decide, communicate with relevant stakeholders, and choose the parties to join the board. Insider trading among executives and a lack of interest in social, legal, or environmental guidelines are great examples of poor governance.?

Effective governance requires practical strategies and informed decisions, which rely on data and hard evidence from:

• Assurance reports
• Internal audits
• Risk assessments
• Compliance monitoring findings

Robust governance will keep an organization aligned and on track with defined goals.

Risk Management?

Organizations conduct risk management to identify, assess, and control the risks and threats they face, including cybersecurity threats, commercial liabilities, legal consequences, financial pitfalls, or management errors.

Identifying sections of significant uncertainty and gaps requires risk assessments and internal audits. The risks may be within vital systems processes and business operations or on the broader market.

Critical staff like IT security leaders, finance officers, the governance board, and business analysts are usually tasked with various risk management elements. With a robust GRC framework, organizations can easily align the activities with ultimate objectives.

Compliance

Compliance involves meeting a set of standards to achieve governance goals, and many cases in relation to specific laws and regulations.

From the context of Cybersecurity, compliance is the adherence to an organization IT infrastructure's contractually prescribed, internal, or legal requirements. These comprise a set of rules governing data availability, integrity, and protection within processes and systems. In most cases, Compliance aims to meet the security and privacy requirements of specific customers, markets, and governments. It enables an organization to transact safely with other organizations upholding diverse standards.

Compliance as a Subset of GRC?

Compliance is only one component of a larger scheme to ensure an organization doesn't go against government regulations and industry rules, summed up in the abbreviation GRC (Governance, Risk and Compliance).

Organizations rely on the GRC system to structure their regulatory compliance, risk management, and governance. It's aimed at unifying and aligning an organization’s approach to these processes. Keeping them robust will enhance an organization’s performance and improve decision-making.??

It’s not unusual for professionals to consider the prongs of GRC as mutually exclusive processes. But if GRC were a three-circled Venn diagram, forward-thinking CEOs and other decision-makers would strive to position their operation in the overlapping space. That’s because compliance alone does not necessarily create the enhanced cybersecurity necessary to repel advanced persistent threat (APT) actors.

Only by conducting a thorough review of an organization’s systems, data storage, and cybersecurity defense, will company leaders truly know their level of risk. With that in mind, an organization can align their governance and compliance with the hardened defenses necessary to discourage a foreign cybercriminal.

GRC structures allow organizations to consolidate compliance monitoring and stay ahead of any regulations or laws relevant to their processes. Going against compliance could present devastating reputational, legal, and financial consequences. These could include money and time spent fighting lawsuits, fines, and a tarnished reputation.

Regulatory Compliance Frameworks

Meeting regulatory compliance frameworks may seem like the cost of doing business at first blush. But these organized guidelines and methodologies are established to protect valuable and confidential digital assets.

The act of meeting them and remaining in compliance improves the chances that hackers won’t penetrate a system. Regulatory bodies are still catching up to cybercriminals’ tactics. However, these are still some of the common regulatory compliance frameworks industry leaders need to aware of.

• SOX: The Sarbanes-Oxley Act requires publicly traded companies to meet managed asset controls. Companies are tasked with conducting a regular audit that reviews the viability of internal controls.
• HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules regarding the protection of medical records and histories. Ongoing compliance remains necessary for organizations in the health care sector.?
• HITECH: The Health Information Technology for Economic and Clinical Health Act was introduced during the Obama Administration. The measure removed loopholes and incentivized HIPAA compliance.
• PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) involves regulations to heighten cybersecurity in the credit card industry. Developed by household name credit card corporations, its rules are not necessarily part of government oversight.
• SOC1: Service Organization Control 1 involves a written report following an internal control audit. The focus is relevant to a consumer’s financial statement.
• SOC2: This brainchild of the American Institute of CPAs defines five “trust service principles.” Certification is typically the result of passing a third-party audit.
• NIST: The National Institute of Standards and Technology is a non-regulatory organization that provides guidance around cybersecurity at the highest levels. NIST guidelines are widely adopted by the federal government and included in CMMC, among many others.
• FedRamp: The Federal Risk and Authorization Management Program crafts Cloud-centric cybersecurity guidelines. It establishes security assessment, authorization, and ongoing monitoring of cloud-based products and services.
• ISO: The International Organization for Standardization establishes technological and commercial standards. Although U.S. companies may not need to directly comply, it publishes rules adopted in many countries.
• GDPR: The goal of GDPR (General Data Protection Regulation) is to provide more stringent data privacy and security measures and more user-friendly disclosures and reporting on data protection practices. This regulation aims to allow individuals to control the use and storage of their own data, including any personal identifiable information.
• CCPA: The California Consumer Privacy Act of 2018 (CCPA) is?a data privacy law that outlines standards for data collection, consequences for businesses that cannot protect user data, and rights that California consumers can exercise over their data.

Meeting the standards established by these and other organizations usually results in compliance. Forward-thinking business leaders can also leverage the cybersecurity enhancements and integrate them into a larger GRC vision.

Security vs. Compliance: How the two Function Together

Security is centered on deploying adequate technical controls against threats to an organization’s assets. On the other hand, compliance involves applying these practices to align with a vendor's contractual or regulatory requirements.

Everyone will acknowledge the need for effective IT security programs. Solid procedures and protocols allow us to go beyond checking boxes to leverage effective practices and solutions to secure our most crucial assets.

This is where layered security systems, defense-in-depth, user awareness education, and regular audits by external parties come in. All these ensure that an organization’s available controls work. If organizations only focused on meeting compliance standards without paying attention to these vital functions, they would open the door to threat actors preying on low-hanging fruit.

While most of us believe that compliance focuses on doing the bare minimum, it's valuable on its own right as a business asset. Aligning IT functions with a respected industry standard bolsters an entity's reputation and attracts new business from security-minded consumers.

Through compliance, we can identify gaps in our current IT security structure, loopholes we couldn't recognize without a compliance audit. The process allows organizations to standardize their security programs instead of choosing controls at the administrator's whim.

The first step to compliance and determined cybersecurity requires actionable intelligence uncovered through an audit.

In a future post, I will write about audit as a means to verify compliance as well as how an audit can improve cybersecurity and compliance.??

?

?

?

?

?

?

?

?