In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to support the new paradigm of information security as a business function.
Any enterprise operating at scale understands the need for standardization and strong corporate governance. Having served Fortune 50 companies for decades, I have seen the importance that strong governance can have for ensuring that an organization grows in a secure fashion. These business processes can inform how an organization approaches security as well as provide structure to how the business side embraces certain growth strategies.
The foundation of any modern cybersecurity program is the people processes that ensure that the organization is aware of the risks they face - whether phishing or more direct attacks. Within these processes, though, there needs to be standardization. While each team across the enterprise may have their own norms and practices, information security leaders need to ensure that there are standard policies in place that govern the necessary aspects to keep the organization secure. Using tools that can integrate these standards, and in the case of CyberStrong even provide policy templates, helps catalyze that standardization process. Since the processes will take the most time, start with working to integrate and standardize processes.
Many more established GRC programs use a modular approach to their organization - when integrating GRC activities, though, organizations must approach the way these teams communicate differently. Integrating governance risk and compliance automation or integrated risk management tools can help with this - often, these tools allow for asynchronous communication as well as increased visibility across the whole organization. This increased visibility becomes all the more important as we roll the program data up the chain of command.
With strong, standard processes in place and a more integrated risk and compliance organization, technical and business leaders must be able to see and digest that operation data effectively. This is where strong intermediate data visualization becomes critical. Within GRC automation tools and integrated risk management solutions, these dashboards vary widely in quality. This is where the tool that leaders select becomes the cornerstone of how integrated their risk and compliance organization can become. Without strong integration of risk and compliance data at the director and manager level, the reporting further up will break down. As we’ve seen, more and more technical leaders are being called into Board- and CEO-level discussions and without a comprehensive, integrated view of governance and risk management activities they will be lost. Strong dashboards and data quantitative metrics are the first step to getting there.
More traditional GRC technology has been focused on technical reporting - the reports like SSPs and POAMs necessary for an internal audit or in the event of an investigation. In order to integrate GRC, especially governance activities, the reporting that your solution does need to do more.
We’ve alluded to how the greatest change facing governance teams is the increased interest from the CEO and Board in the cyber posture of the organization. Therefore, an integrated GRC solution or integrated risk management tool needs to be able to support that new need. While CEOs and Boards are used to managing financial, strategic, and operational risk, cyber risk has been seen as a mystical unknown. A capable integrated solution will help bridge that gap. In the case of CyberStrong, reports such as the Executive Risk report deliver cyber risk metrics in business terms.
In order to effectively integrate governance activities, whether to simply improve or working towards an integrated risk management vision, all parts of the organization must be involved. From standardizing processes at all levels of the organization to improving and automating the way that senior technical leadership reports out to the Board and CEO. These changes are only made possible by powerful tools that enable these changes. In order to integrate GRC activities, it requires an integrated solution.