The elevation of cybersecurity to a Board- and CEO-level issue has caused governance risk and compliance (GRC) processes and technologies to evolve. As we’ve covered before, Gartner marked the next iteration in security, risk, and privacy management - dubbing it integrated risk management. While the integrated risk management approach deviates from the conventional checkbox compliance activities that most teams have built their organizations with, that is not to say that governance risk and compliance activities have no place there. Rather, governance risk and compliance as three functions are the foundational aspects of an integrated risk management approach to cybersecurity and risk management.
More is expected from information security teams in the form of visibility into their organization, reporting to business-side leaders, as well as more reliance as enterprises embrace more technology, and with that teams need tools that automate much of the GRC approaches and processes that they’ve used for years. An approach that integrates governance, risk management, and compliance activities supports these three new requirements for information security teams.
In this guide, we will be examining how integrating GRC activities through the processes of governance, the frameworks of risk management and the standards of compliance can lead an organization towards a more integrated view of risk and compliance. We’ll explore how GRC automation and integrated risk management practices can streamline and support the new mandates for cybersecurity leaders. How “integrated risk management vs GRC” is a false dichotomy when the proper solutions can work together.
- The Processes of Governance: We’ll examine how tools that automate GRC capabilities can facilitate the transition to an integrated risk management approach - through automated reporting and effective real-time dashboards that translate security, risk, and privacy management programs into business objectives and support business growth.
- The Frameworks of Risk Management: Managing cyber risk is the core mandate of information security teams in today’s business climate. Frameworks are the foundation of the risk management activities that every organization practices. We’ll dive into gold-standard frameworks and best practices for managing risk. How using integrated frameworks based on outcomes drives all aspects of a cyber program and supports business growth.
- The Standards of Compliance: Compliance management was the driver for many information security organizations and is still an absolute necessity today. As more standard and compliance requirements are released, knowing how to construct a strategy that will be able to absorb these new requirements is critical. We’ll examine how integrated governance risk and compliance solutions support this patchwork of compliance standards we’re seeing emerge, and how integrated GRC solutions and IRM can help teams save time and supplement with AI and machine learning.
Governance, Processes, and Automation
Contributed by Jerry Layden
Any enterprise operating at scale understands the need for standardization and strong corporate governance. Having served Fortune 50 companies for decades, I have seen the importance that strong governance can have for ensuring that an organization grows in a secure fashion. These business processes can inform how an organization approaches security as well as provide structure to how each line of business embraces certain growth strategies.
The foundation of any modern cybersecurity program is the people processes that ensure that the organization is aware of the risks they face - whether phishing or more complex attacks. Within these processes, though, there needs to be standardization. While each team across the enterprise may have their own norms and practices, information security leaders need to ensure that there are standard policies in place that govern the necessary aspects to keep the organization secure. Using tools that integrate these standards helps catalyze that standardization process. Since the processes will take the most time, start with working to integrate and standardize processes.
Foster Collaboration In Information Security
Many mature GRC strategies use a modular approach to their organization - when implementing an integrated approach, though, organizations must change the way these teams communicate. Integrated GRC solutions or integrated risk management tools can help with this - often, these tools foster information sharing and allow for asynchronous communication as well as increased visibility across the whole organization. This increased visibility becomes all the more important as we roll the program data up the chain of command.
Data Visualization and Faster Delivery of Information
With strong, standard processes in place and a more integrated risk and compliance organization, technical and business leaders must be able to see and digest that operation data effectively. This is where strong intermediate data visualization becomes critical. Within GRC automation tools and integrated risk management solutions, these dashboards vary widely in quality. Without strong integration of risk and compliance data at the director and manager level, reporting up will break down. More and more technical leaders are being called into Board- and CEO-level discussions and without a comprehensive, integrated view of governance and risk management activities they will be lost. Strong dashboards and quantitative metrics are the first steps to getting there.
Reporting that Communicates in Business Terms
More traditional GRC technology has been focused on technical reporting - reports like SSPs and POAMs necessary for an internal audit, or in the event of a breach. In order to integrate GRC, especially governance activities, the reporting that your solution does must do more.
The greatest change facing governance teams is the increased interest from the CEO and Board in the cyber posture of the organization. An integrated GRC solution or integrated risk management tool needs to be able to support that new need. While CEOs and Boards are used to managing financial, strategic, and operational risk, cyber risk has been seen as a mystical unknown. A capable integrated solution will help bridge that gap.
Integrated Governance Needs to Move Both Up and Down
In order to effectively integrate governance activities, whether to simply increase GRC maturity or working towards an integrated risk management vision, all parts of the organization must be involved. From standardizing processes at all levels of the organization to improving and automating the way that senior technical leadership reports out to the Board and CEO. These changes are only made possible by powerful tools that enable these changes. In order to integrate GRC activities, it requires an integrated solution.
Risk, Quantifiable Metrics, and Aligning with Business Objectives
Contributed by Padraic O’Reilly
Risk management is the new foundation for an information security program. Coupled with necessary compliance activities to support ongoing business operations, risk management centers upon identifying and working to mitigate risks associated with a given organization. As more enterprises embrace digital technology, the relative importance of risk over compliance has grown; with the growing variety of technologies that organizations are adopting, baseline compliance is necessary, but still only a basic step to ensuring that the organization is secure.
The Importance of Risk Assessments
Almost all risk management frameworks require the consistent use of risk assessments. Whether NIST 800-30, FAIR, or even a three-by-three matrix - risk assessments are the foundation on which all risk management is built.
Choosing a risk assessment methodology comes down to what makes the most sense for your organization. My recommendation is to start general and then tailor based on your findings. Once your organization has a baseline, determining the best framework or combination of frameworks will become clearer. Remember, a risk assessment methodology should bring your organization closer to understanding the risk exposures that are specific to strategic or business goals. It is far too easy to get lost in a methodology. As a math professor once said to me, “Don’t mistake the model for reality.” The point is to leverage a model or methodology to get a deeper understanding of reality. Resource decisions and risk appetite are much easier to handle if metrics are defensible and easy to understand.
Risk Management Frameworks
The primary mode of risk management in the context of integrated GRC activities is a risk management framework. Starting with risk assessments and then moving into how certain risks are addressed and what risk remediation activities are prioritized often starts with a framework. In most cases, an integrated GRC framework will use risk management as the foundation. Assessing risk and compliance in tandem sheds light on both your organization's compliance stance while simultaneously illuminating risk remediation priorities.
Translating Cyber Risk to Stakeholders
Arguably, the most important aspect of risk management is leveraging information to improve the resiliency of the organization. For many business-side leaders, cyber risk is unknown. Yet, in today’s digital world, CEOs and Boards must have the ability to integrate cyber risk into the overall enterprise risk profile. This is where risk quantification becomes critical.
This is driving security leaders to examine various risk quantification methodologies. The goal is to match the proper methodology to specific business and reporting requirements and to provide the most value. The optimal risk quantification method will ideally be based upon how senior management is used to seeing risk - business, operational, strategic - to help them roll cyber risk into that mix.
Risk Data Visualization
Finally, using an integrated view of risk helps both the remediation and communication to business leaders. Using the right mix of risk quantification breakdowns helps contextualize technical risk metrics in a way that can both help technical leaders prioritize remediation activities, while also conveying the risk profile to non-technical stakeholders in a credible manner.
The Foundation To a Forward-Looking Cyber Program
While traditional GRC practices are guided by checkbox compliance activities, integrating governance risk and compliance activities requires doing these activities in tandem. Customizing a risk management program to the enterprise--rather than to general compliance standards--is critical. Structuring goals around a deeper understanding of enterprise risk enables an organization to both prioritize specific risks and threats to the business continuity, as well as convey that information to management.
Compliance, Regulations, and Futureproofing Your Cybersecurity Program
Contributed by George Wrenn
Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. From the rise of the information technology function within the enterprise, security has been a priority for not just the companies themselves but the governing bodies in the areas (industries and locations) in which they operate effectively. For many entities, compliance is a critical function to ensure ongoing business operations and support new business growth.
Why Compliance Standards Exist
To understand the role that compliance standards play in an integrated risk and compliance program, think of compliance standards as the physiological requirements in Maslow's hierarchy of needs: the foundational requirements like food, water, and shelter. The function of compliance standards set forth by governing bodies is to ensure that participants in that industry have implemented good enough security practices to participate in the industry and keep the ecosystem secure. Often, we see standards in highly-regulated industries, places where the failure of these functions is not an option - energy and utilities, banking and finance, defense and aerospace.
Enough Is Not Enough
Here's the thing - enough is not enough in many cases. The standards that are requirements are designed for the lowest common denominator - they're designed to be accessible to companies of varying size, and sometimes different functions. The result is often that these standards are general and not enough to secure any one organization adequately. Compliance standards, while prescriptive and valuable from an industry-level, are not enough for one organization to tout security to their CEO and Board.
Foundational Frameworks Transcend Compliance
We have covered before how the continued rise of compliance standards is overtaxing cybersecurity teams. Reacting to each new framework and standard as it emerges leaves organizations reeling. The strategy to integrate compliance activities for a cybersecurity program begins with a guiding, foundational framework. In most cases, I recommend the NIST Cybersecurity Framework as that north star. The reason is that, frequently, the requirements that make up these standards are based on the CSF. When security leaders focus on the foundational principles - the CSF - rather than each compliance requirement, the result is significantly less menial effort spent meeting new demands. The optimal way to futureproof your cyber program from new compliance requirements is to focus on the foundational framework that informs them.
Integrating Governance, Risk, and Compliance With the NIST CSF
For leaders looking to integrate their governance, enterprise risk management, and compliance activities, there is another reason to use the NIST CSF as the principled performance standard for compliance: using the NIST portfolio of frameworks and publications integrates all activities of GRC under one banner. As my co-founder discussed in his webinar on harmonizing privacy, risk, and cybersecurity, we can see that the NIST CSF is designed to integrate with the NIST Risk Management Framework and new Privacy Framework. Further, the NIST CSF's outcome-based approach supports the translation of tactical cybersecurity risk and compliance activities into business outcomes - a critical function for today's cybersecurity leader.
Integrating Governance, Risk, and Compliance
The expectation that those at the Board and CEO level have of CISO’s and their information security program has evolved rapidly since the days pre-Equifax. As data breaches and security events continue to make headlines almost daily, security leaders are faced with the need to update their programs to support this new role. A siloed security program that leaves each of the activities under GRC to disparate teams with no integrated GRC framework will leave these teams and leaders spread thin trying to navigate this new role. Breaking down and re-integrating the activities behind governance, risk, and compliance is the key to an integrated risk and compliance vision.