Mitigate Business Disruption from Cyber Events by Implementing a GRCS Strategy

Mitigate Business Disruption from Cyber Events by Implementing a GRCS Strategy

Technology and access to information are happening a lightspeed today. Recent events have forced us to pause and realize despite all the advancements, a basic biological organism can bring us to our knees.

Like every other crisis or event, certain groups or individuals will be looking to take advantage of other people and companies.?If the last few years haven’t shown us how important protecting our information assets is to our future, this crisis will serve as a key reminder.?At the end of the day, business are looking to avoid or at least mitigate the business disruption caused by cyber events.

As we weather the latest storm and begin to come out of it, businesses will need to refocus their priorities and prepare for growth.?A key item to the recovery will be to reassess the financial impact of each risk and the cost of mitigation.?Business leaders will need to determine if they can absorb or accept the additional risk or how mitigation of these risks needs to be prioritized.

In preparing your organization, it is critical to ensure companies implement a sound Governance, Risk, Compliance, and Security (GRCS) Strategy.?Organizations also need to assess the maturity of their program and determine the priority of improving their Risk, Compliance, and Security posture.

A sound GRCS Strategy consists of:

·???????Data Governance Program

·???????Enterprise Risk Program

·???????Contractual and Regulatory Compliance Program

·???????Information Security Program

If you look at this as a pyramid, the foundation is your security program usually managed by the Chief Information Security Officer, and is focused on Identifying existing Threats and Vulnerabilities as well as protecting the organization’s digital assets.?Layered on top of the Security Program, is the Compliance Program which ensures the organization is in compliance with its contractual obligations and well as regulatory directives with respect to handling and sharing sensitive data.?The Compliance Program is usually managed by the Chief Compliance Officer and is focused on identifying and remediating non-compliant controls.?The top layer of the pyramid is your Risk Management Program. This program takes the threats and vulnerabilities from the Security Program and the non-compliant controls along with valuated asset list and through a process of measures and metrics performs a Quantitative Risk Analysis resulting in identifying the Financial Impact of each risk.?Data

I will lay out below what each component should include and some of the challenges:

Data Governance

Before you can establish a Security, Compliance, or Risk Management program organizations need to identify what data they need to protect.?This is established by understanding what the sensitive data is within their organization and the negative impact of having this data stolen or unavailable. A good GRCS Program starts with identifying and understanding what data you are trying to protect. Performing Data Classification, Data Categorization, and Data Discovery helps you understand what the sensitive data in your company is, how it should be handled, who needs access to it, and where it resides.?

?Steps in this process include:

·???????Data Classification and Categorization (Top Security, Confidential, internal, and Public)

·???????Data Discovery (where the data exists)

·???????Data Access (who needs access and what kind of access)

·???????Data Mapping

·???????Management and Monitoring Access (what are they doing with the data)

·???????Establish Policies on Acceptable Use

?

Risk Management Program

One of the key responsibilities of Business Leaders (CFO, CEO, and Board Members) is to manage Risk.?These leaders must choose to either Accept the Risk, Mitigate the Risk or Transfer the Risk to a 3rd party such as Insurance or a Managed Services Provider (MSP).

A Risk Management Program is designed to identify Risks and quantify the financial impact of each risk. Additionally, mitigation costs will also be determined.?

One of the big challenges for CIOs and CISOs inability to communicate what the threats and vulnerabilities are to the Business Leadership and how they would impact the business. The problem is that technology people clearly understand these concepts such as Threats and Vulnerabilities, but the Business Leadership communicates in dollars ($).?The main objective of the Risk Management Program is to translate IT/Security threats and vulnerabilities into financial impacts in terms of dollars.?Leadership can then begin to determine their Risk Tolerance and prioritize the mitigation of each risk.?

In the Risk Management process, all the threats and vulnerabilities identified in the Security Program are imported into the Risk Management Program. The non-compliant controls from the Compliance Program are also added to create the Risk Registry.???All assets will be cataloged and grouped by function.?This information is then run through a series of metrics and measures to determine the likelihood of occurrence and the asset values for the group of assets impacted by the Risk.?The output will be a dollar value of the financial impact of the breach.??

The Risk Management process is not a point-in-time process since Risks are changing and new Risks are occurring all the time.?The Risk Management Program must include a process to constantly evaluate and update Risks as they occur or change.?A side benefit of the Risk Management process is that it becomes easier for CIOs and CISOs to build their cost-benefit analysis with the data from the Risk Management Program.?

?

Compliance Program

In the current Cybersecurity climate and the frequency of third-party breaches, organizations have increased their scrutiny of how the vendors and partners are handling their data and accessing their systems.?As a result, companies are being asked to demonstrate compliance with a variety of industry and regulatory standards such as SOC, PCI, HIPAA, HITRUST, Privacy, GLBA, DOD, FTC, FCC, and various state regulations. The Chief Compliance Officer (CCO) manages the various compliance obligations to ensure non-compliant issues do not financially impact the company in a negative way.?One challenge CCOs have is to figure out ways to reduce the internal effort and redundant activities of managing multiple compliance standards.?Many organizations are consolidating the controls of their security framework as well as their other compliance controls to build out a custom control set. This eliminates the stovepipe style management of these programs and eliminates redundant activities across the various compliance standards. There are many GRC platforms currently out there that claim to reduce the effort that is required to manage multiple compliance programs. Unfortunately, I have seen many companies purchase these technologies as a black box without implementing strict processes and methodology.?The result is the technology becomes an expensive document repository that never delivers the benefits they were sold.?GRC like Security Management is mostly a process, not a technology. The tools are only effective once the process is implemented.?Things to consider when looking for GRC technology are:

·???????Ensure you have implemented the GRC process, and it works without adding technology

·???????Evaluate technologies that align with your processes.

·???????Determine both the cost of acquisition (2 to 3-year costs) as well as implementation costs – these costs will vary significantly from product to product

·???????Evaluate capabilities to integrate with other security and IT products such as Vulnerability Scanners, Asset Managers, Policy Managers, Incident Response Managers, SIEM products, and ticketing systems

Information Security Program

A sound Information security program is critical to implementing a successful GRC Strategy and protecting digital assets.?It wasn’t that long ago that security meant a Firewall and Antivirus software. Threats and Bad Actors have evolved dramatically. These groups are much more networks and collaborative than many businesses. They are using advanced technologies such as AI to identify vulnerabilities as well as automation in executing their attacks.

Companies have typically utilized a defensive-only strategy in their security programs.?This approach is destined to fail and eventually, the attacker will find a vulnerability.?If you think in terms of a military strategy, a defensive-only strategy will be overwhelmed by a frontal attack combined with other strategies such as Flanking, Fragment or Feign.?Companies must combine multiple strategies if they are to mitigate or stop a threat. In addition, taking the words from Sun Tsu, “You must for yourself, your enemy, and the battlefield.??

Organizations need to select a Security Framework to build their Security programs on.?I recommend utilizing an industry-accepted standard such as ISO 27001 or NIST CSF. There are several other standards but these two are the most widely used. If your customers and partners are requiring, you to submit several security questionnaires you might consider getting ISO 27001 as this would like to reduce the effort in addressing the questionnaires and some customers may allow you to submit the ISO 27001 report instead of responding to the questionnaire.

Security Governance

A good Security Program starts with identifying and understanding what data you are trying to protect. Performing Data Classification, Data Categorization, and Data Discovery helps you understand what the sensitive data in your company is, how it should be handled, who needs access to it, and where it resides. ?

The governance layer is focused on the organization’s overall security policies.?These define who and how information is accessed by the company as well as by third parties. These policies also employees and contractors to conduct themselves with respect to security and how management and maintenance of the technical infrastructure that supports the information assets, will be performed.

Security Operations

The second layer of the Security Program is building out the Operational processes and procedures which expand what is stated in the policies with specific detail on how things are to be performed, for example, the policy stated that a Firewall Review must be conducted every 6 months. The procedures will describe how the organization will perform that.?Unlike policies that remain static, unless the organization undergoes a significant structural change, procedures can change frequently as technology or organizational changes occur.

Security Technology

The third component of the Security Program is the Technology layer. ?Typically, many organizations start with technology which can give them a false sense of security with respect to the maturity of their security program. As I mentioned previously, organizations need to implement a multi-phased approach as opposed to just a defensive or fortress strategy. In addition, leveraging automation and reducing human interactions should be a priority. You can’t eliminate human interaction completely as they are still too many false positives being created and some decisions regarding action still need to be made by humans.?

A sound multi-layered strategy for security technology is key.?Besides firewalls and intrusion detection, organizations need to implement Network Detection and Endpoint software such as EDR.?In addition, good segmentation and restricting end-user devices from installing unapproved applications or software are critical.?Think of your network like a submarine.?A submarine is built with multiple compartments if one area is compromised it doesn’t impact the whole system.

Use Multi-faceted Strategy

As I mentioned previously. Incorporating additional approaches other than just being defensive can greatly improve your ability to detect and respond to attacks.?Some in the industry advocate implementing or adding an offensive strategy approach. This makes sense if we are talking about testing but responding to an attack by attacking the attacker is fraught with its own risks.?Besides opening yourself up to significant retaliation, legal issues and international jurisdictions may also come into play.?

Who’s Watching the Door?

A critical activity all organizations need to perform is watching what is coming in and going out of your network 24x7.?Implementing a Security Information Event Management (SIEM) platform that can consolidate all the logs and correlate them can help reduce the effort in identifying threats.?Many of these technologies have advanced AI and threat detection capabilities that can help reduce the number of data points your team needs to look at.?If you do not have a SIEM or the resources and expertise to monitor the inbound and outbound activity, you need to consider contracting with a Managed Security Services Provider (MSSP). These organizations become your frontline to identifying potential threats. Not all MSSPs are the same, you will need to research what capabilities you need as well as whether their pricing model matches your budget.

Other Critical Security Programs Components to be implemented

Training

Implementing a good Security Awareness Program is critical as the weakest link in your security program is your end users.?It is critical to ensure your employees understand their role in protecting sensitive data and how to recognize a potential breach.?Phishing and social engineering are directly targeted at your users and the ability to recognize this is critical.?Training should be ongoing as well as onboarding and periodical testing of comprehensive is important.?Many Security Awareness platforms incorporate Phish Testing.

Testing

An Information Technology infrastructure is not static.?Changes to systems and networks are a daily routine. Every time a change is made there is a potential to introduce a new vulnerability into the environment.?Regular vulnerability scanning, both internally and externally, needs to occur at least quarterly.?Penetration Testing needs to be performed at least once a year or when a major system upgrade or additional occurs. Security Officers should also consider performing a detailed Application Penetration test annually and before deploying a new or revised application.?

Incident Response and Business Continuity Plans

Every organization needs to build both an Incident Response (IR) plan and a Business Continuity (BCDR) plan prior to the experience and security event.?The IR plan details the process needed to respond to an event. The steps needed to be taken, who needs to be contacted.?The BCDR plan details the steps and actions that need to be taken if one or more locations/functions of the organization can no longer function.??Both the IR and the BCDR plans should be tested annually to determine their effectiveness.

Summary

In summary, organizations looking to mature their Governance, Risk, Compliance, and Security Strategy (GRCS) must ensure they implement all of the programs (Data Governance, Risk Management, Compliance Management, and Information Security).?Omitting any of these will leave large gaps in your ability to manage the threats and vulnerabilities within your operation. In addition, it will limit critical information needed by Business Leadership to make decisions on how to address their risks.?

Lastly, my recommendation is to find a partner who has the experience and a holistic view of how to implement a Governance, Risk, and Compliance Security Strategy. ?