Achieving Cybersecurity Goals Through GRC Approach
By Anoop Kumar, Head of Information Security Governance Risk & Compliance at Gulf News
We are becoming ever more dependent on technology and digitization. As data increases in importance and volume, data protection and privacy are essential to safeguard the integrity of the systems we all use and depend on. Hence, our Resilience in terms of People, Process, and Technology is very vital.
Actors with ill intent never rest and are constantly evolving, so consumers, firms, and governments will need to keep investing time, energy, and money to stay ahead of the game. Cybersecurity goals represent a powerful megatrend over the coming decades in both relevance and growth.
The Problem
Most of the organizations are firefighting with:
- Too many incidents and faults
- Uncontrolled budget
- Uncontrolled projects
- Operational surprises and unexpected downtime
- Lack of compliance
- Uncontrolled removable media use
- Abused identity privileges
- Too long, too expensive Audits and unacceptable audit results
- Lot of rework
- Lack of ownership and accountabilities
- Poor customer service, both internal and external
- Expensive incident response activities
- Firefighting IT
- No transparency and visibility
We must consider a program to reduce operational complexities and surprises to concrete business sustainability and cyber resilience.
The Program
Cybersecurity GRC by design: Educate boardroom, a top-down approach and enable from the bottom up.
The frequency and negative impact of cybersecurity incidents on organizations continue to rise, undermining the confidence of the board and executives in their cybersecurity strategies. Security GRC by design is increasingly being adopted to enable stakeholders to draw a straight line between cybersecurity investment and the delivered Protection and improved Compliance levels it generates.
We must consider Cybersecurity GRC by design to create a defensible cybersecurity investment strategy, reflecting agreed protection levels with powerful properties, and in simple language that is explainable to non-IT executives. This provides a credible and defensible expression of risk appetite that supports direct investment to change protection levels.
Also results in Reduced operation Costs, Risk, and improved Performance. Here the relationship among CXOs is key to converting the challenges to opportunities.
Example: CIO-CFO always has communication gaps and disagreements in terms of ROI.
The Process to be Agreed Up On
A well-defined process with adequate guidelines can create wonders in operations. Hence, draft a step-by-step process of activities with defined roles and responsibilities. Slowly define and agree on KPIs, but let all stakeholders embrace the process first. A collectively agreed process execution results in improved confidence among all signing authorities.
How can we define this from the concept stage to the delivery stage with successful operational handover with desired compliance to both internal and external standards expectations?
Let us define them:
Define and Agree a Pipeline With Required Controls
People’s Area of Concern
In order to define and agree a collective Cybersecurity GRC by design model, we must identify stakeholders from different organizational units to work together for a common goal (a cross-functional team of HR, Finance, Legal, IT, GRC, etc…). Educate them with a collectively agreed process with defined KPIs. This is achieved through a business process walkthrough to identify which people are involved and what data is being operated (input and output).
Technology
Consider a social-technical environment: Where everyone’s culture and practices are embraced and aligned for better outcomes. Agree on a paced layered technical architecture for agility.
Key Considerations While Selecting Technology Solutions
Generative AI: a double-sided sword we need to operate by adequate Governance
Cybersecurity leaders need to prepare for the swift evolution of GenAI, as large language model (LLM) applications like ChatGPT and Gemini are only the start of its disruption.
Simultaneously, those are overwhelming with promises of productivity increases, skills gap reductions, and other new benefits for cybersecurity. Is that wise to use GenAI through proactive collaboration with business stakeholders to support the foundations for the ethical, safe, and secure use of this disruptive technology?
There’s solid long-term hope for the technology, but right now we’re more likely to experience prompt fatigue than two-digit productivity growth. Things will improve, so encourage experiments and manage expectations, especially outside of the security team by providing a non-production environment like technical labs. Embrace innovations.
Manage Third-Party Cybersecurity Risk: The inevitability of third parties experiencing cybersecurity incidents is pressuring security leaders to focus more on resilience-oriented investments and move away from front loaded due diligence activities.
We must consider enhancing the risk management (continuous) of third-party services and establish mutually beneficial relationships with important external partners, to ensure their most valuable assets are continuously safeguarded and start by strengthening contingency plans for third-party engagements that pose the highest cybersecurity risk by creating third- party-specific incident playbooks, conduct tabletop exercises and define a clear off-boarding strategy involving timely revocation of access and destruction of data.
Continuously assess both internal and external attack surfaces: Continuous threat exposure management (CTEM) is a pragmatic and systemic approach we must practice to continually evaluate the accessibility, exposure and exploitability of digital and physical assets.
Aligning assessment and remediation scopes with threat vectors or business projects rather than an infrastructure component, highlights vulnerabilities and unpatchable threats to reduce breaches. Security leaders must continuously monitor hybrid digital environments to enable early identification and optimal prioritization of vulnerabilities to help maintain a hardened organizational attack surface.
Manage and Govern Identities: We are forced to move to an identity-first approach to security, the focus shifts from network security and other traditional controls to IAM, making it critical to cybersecurity and business outcomes. Hence, the increased role of IAM in security programs, and practices must evolve to focus more on fundamental hygiene and hardening of systems to improve resilience.
We must focus on strengthening and leveraging our identity fabric and leverage identity threat detection and response to ensure IAM capabilities are best positioned to support the breadth of the overall security program
Conclusion
This program intends to create a social-technical collectively accepted approach to reduce operational cost, complexities, and risk and improve operational performance and compliance. Here every stakeholder has a role to play with adequate responsibility. A well-understood process with a cross-functional team equipped with the right technology can make wonders.
Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.