Building a Sustainable Governance, Risk and Compliance (GRC) Model
No one questions the business mandates to comply with Sarbanes-Oxley (SOX) controls. Organizations had no choice but to adhere to the new regulations. Over two decades after coining the term “cybersecurity”, many still struggle with cybersecurity risk management. 88% of organizations do not believe their information security fully meets their needs.1 Data breaches also are almost commonplace, as in 2015 breaches in business, government and healthcare organizations reached near record high rates.2
So are criminals just getting smarter, or is it more likely organizations are not allocating the proper resources to address these risks? Like the implementation of SOX controls, cybersecurity is an iterative exercise. In order to stop struggling to build a sustainable cybersecurity compliance program, organizations must develop more comprehensive governance, risk, and compliance (GRC) models.
What is at risk?
For Customers – Organizations always include meeting customer expectations as a business strategy component. It then follows that the risk of losing that customer is also critical to the business. The impact of breaches on customers is rapidly evolving. Risk is more than customers’ credit card numbers. Actually, for most retailers, there is little reason to even store that data. The customer has minimal liability in the event of a breach and relatively minimal inconvenience. It is now extremely easy to have credit cards replaced and issuers will always reverse illegitimate charges. The entire process is fairly painless and absolutely manageable. However, private information such as Social Security Numbers are another story. When that information is stolen, it is forever. Companies must understand the relative value of different types of information and their impact on customers in order to develop more effective solutions.
For the Company – Not all breaches bear the same risk, but they all have the potential to impact important company assets like brand image, organizational reputation, and finances. The court of public opinion will look at two specific areas: The organization’s due diligence efforts to manage the risk prior to an incident and its ability to communicate, react, and support their customer base after an incident. These key indicators are only addressed with a comprehensive GRC business strategy. Moving your business forward with GRC as a cornerstone will support growth and innovation while keeping risk in check.
Developing stronger GRC models
At WGroup, we believe a business driven mandate surrounding GRC is essential. It has to be a part of an enterprise business model where organizations need to expand, improve and innovate in order to actively address cybersecurity risk. Cybersecurity needs to be a part of your organization’s DNA. Companies should take the opportunities to transform GRC efforts as they implement new projects.
There are several components that a GRC strategy model should include:
– Commitment from top business leaders
– Organizational alignment
– People, Process, and Technology
– Operational Enablement
The GRC function is not just about protecting the confidentiality of information, but needs to be a more holistic methodology. In addition to safeguarding the company assets with tools such as encryption, a robust security framework should be implemented.
The National Institute of Standards and Technology (NIST) framework addresses not only protection, but other critical factors including:
– Asset inventory, management, and governance
– Data awareness, training, protection of data, policies and procedures
– Anomaly detection and event management
– Response planning, communication, analysis, and mitigation
– Recovery plans, strategy, and lessons learned
IT security risks are relevant and growing. Companies need to understand new threats and how to take steps to manage them. By implementing more sustainable, comprehensive GRC models, organizations can significantly reduce risk of breach and reduce their cybersecurity risk profiles.
1. EY’s Global Information Security Survey 2015
2. Identity Theft Resource Center (ITRC) data breach reports
How Cloud Computing Is Poised to Shift the Security Status Quo
While cloud computing received a significant amount of positive media attention in 2015, 2016 is poised to be the year that cloud computing truly shakes up the security status quo. Still, even after 2015’s positive media coverage led to a better appreciation of cloud services, enterprise workloads did not necessarily shift over to the cloud in large numbers. Expect that to change in 2016.
Here are a few reasons to expect cloud computing to shake up the security status quo in 2016.
Traditional Security Vendors Will Need to Adapt to the New Cloud Culture or Face a Decline
Traditional anti-malware and encryption companies may not have needed to accommodate the cloud culture in years past, but that should change in 2016. Anti-malware developers will likely focus on developing software that can seamlessly integrate with cloud platforms. This prediction, however, is not without its set of challenges.
Security vendors will need to work closely with cloud platforms since inserting third-party anti-malware solutions onto cloud platforms will not come about effortlessly. Still, expect cloud providers to create APIs and frameworks that help anti-malware vendors get their software onto the cloud. Since anti-malware products are not a cloud platform’s area of expertise, working with third-party vendors will help cloud platforms and traditional vendors alike.
Similarly, encryption companies stand to benefit from the move to the cloud as well. With the rise of mobile devices and cloud computing, there is an increased understanding that encryption is a security necessity at all times. Encryption vendors have a huge opportunity to create scalable and transparent solutions that will broaden the capabilities of encryption on a cloud platform.
Vendors who are incapable or unwilling to adapt to the new cloud security culture will likely face the threat of a decline in business.
The Rise in Cloud Security Will Place a Heavier Emphasis on Effective Security Policies and the CISO
The expected increase in cloud security implementation will ultimately demand a greater emphasis on security policy as well. While the majority of IT leaders now believe that cloud security is as secure or more secure than traditional on-premises software, effectively transitioning towards a cloud security environment can be complicated.
In a recent Cloud Security Alliance survey, 67.8 percent of companies noted that the greatest obstacle in moving towards a cloud system is the ability to enforce corporate security policies. As such, making an effective cloud security transition requires the right policies in order to make the move as seamless as possible. Companies with a CISO have an easier time achieving this goal.
The survey found that a CISO plays an integral role in developing security policies. As a result, a CISO makes it more likely that the company is prepared for cyberattacks, which is why companies who already embrace the cloud are more likely to have a CISO. More than 60 percent of companies have a CISO, and that number seems poised to increase with the continued rise of cloud computing security.
In effect, cloud computing is poised to demand industry changes as well as changes to the corporate culture of companies who make the move towards cloud security in 2016 and beyond.
Bring Your Own Device (BYOD) – The Risk/Reward Calculation
There are approximately 120 million Americans in the full-time workforce. According to Pew Research Center nearly two-thirds of American adults age 18+ own a smartphone. If we were to extrapolate the latter statistic by applying it to the former figure, we would find that hypothetically 76,800,000 Americans use their smartphone for work purposes. With these statistics in hand, it is safe to say that Bring Your Own Device (BYOD) has become a popular solution across any sized enterprise. However, despite the wide-reach of BYOD, companies still report that they are struggling to properly weigh the rewards vs. costs, as they attempt to adopt the potentially money-saving Information Technology (IT) solution.
The Rewards Associated With BYOD
In 2013 best-selling author, Managing Director at TCG Advisors, and Venture Partner at Mohr Davidow Ventures, Geoffrey Moore, infamously argued that CIOs needed to understand that employee brain patterns change directions when they have to think about accomplishing a task versus remaining free to creatively brainstorm a solution. With this theory for support, he went on to suggest that if you give employees technology that they love to use, then employees will be able to better focus on pattern recognition and other value-adding activities, rather than wondering what button should be pressed. In his words, “The amount of redirection of neurons when you have to do that [complete an assigned task on an unfamiliar device] and the interruption in the flow of imaginative thinking is much more dramatic than people actually acknowledge.” As outlined below, BYOD embodies Moore’s line-of-thinking and provides numerous rewards:
BYOD allows employees to use consumer technology that they are both familiar and comfortable with
Using BYOD at work can create a smoother transition into the workspace, which can improve productivity levels
An increase in employee satisfaction has been shown to have a direct correlation to increased production and goal-oriented achievements
BYOD improves employee engagement levels both internally (with other employees or managers) and externally (in a client-facing environment)
BYOD policies can enhance recruitment efforts for the millennial generation
BYOD offers a viable solution to employees’ growing desire to work remotely with flexible work hours
The Costs or Risks Associated with BYOD
The inherent “cost” of BYOD IT is that it will open security risks or vulnerabilities that would not have otherwise been introduced into the work environment. Additional costs or risks that are associated with BYOD include:
BYOD allows employees to potentially walk security risks right in and out of the front door every day
IT departments must plan for new security risks. In planning for these risks, additional monies might be spent on employee training and ensuring that employee devices remain up-to-date with the latest security software
IT departments need to spend additional time setting up BYOD in the same way that they would set up company devices, which includes: legal, licensed software, screen locking, business-level encryption protocols, malware, spyware, and a secure program for remote system access
There is a greater risk that employees won’t follow proper security protocols. Cisco recently released a report which stated that only 2 out of 5 workers in the banking industry apply even the most basic of security settings to their smartphones
There is a greater risk that BYODs won’t meet security, governance, and compliance regulations
The use of BYOD is growing across industries; as it continues to grow so too do the associated rewards and risks. Businesses need to carefully analyze internal IT operations before they can make the decision to implement a BYOD policy.
Building strong, mutually beneficial relationships with IT vendors can make a significant difference in an organization’s ability to deliver on end user expectations, reduce costs, and drive business goals. But effectively evaluating vendors and forming strategic partnerships with those that meet your company’s needs can be challenging. Many IT organizations only focus on short term tactical and transactional relationships and don’t benefit from the synergy of a long term relationship.
Why are vendor relationships important?
It is natural to question the value of building long term relationships with vendors. The process requires commitment from the organization, regular review, and a considerable amount of time. However, there are many benefits to investing time and resources in the effort. Better partnerships can greatly improve productivity, lead to reduced costs and risk, and improve end user experience.
Improved productivity – Developing, implementing and upgrading systems, applications, and services can be extremely time intensive. Working with companies that already know your organization’s infrastructure, systems, culture, and unique needs can speed project time, limit problems, and lead to a more satisfactory solution. You can also reduce the time needed to go through the competitive bidding process to get the project up and running faster.
Reduced risk and costs – Working with a trusted supplier can reduce risk and costs caused by stalled projects or other issues. Close partners are also more likely to work with you if you need financing or to work out more suitable payment plans.
Better end user experience – Trusted vendors often have a better idea of the unique needs and characteristics of your company. That means they can provide applications and services that work better for the end user or your customers.
Forming more beneficial relationships
Vendors are an integral part of your business’s strategic plan, allowing the IT organization to deliver effective services to employees and customers. But building mutually beneficial relationships with vendors takes time, personal connections, and effective review and analysis. Companies should treat the vendor vetting and relationship process with the same planning and care they would invest in any other critical business function.
Start with small transactions – It’s never wise to invest too heavily in an untested partner. That’s why any vendor relationship should ideally start with small projects. This gives you time to see how the vendor operates and decide whether to continue the relationship with more significant stakes.
Treat the vendor fairly – If you decide to invest time and effort into building a relationship with a vendor it is important to treat them fairly. A partnership is a two way street. You should always make an effort to always pay on time, provide ample lead time, and build personal connections with vendor representatives.
Be demanding – Although you should always treat your partners fairly and build personal connections, it is important to remember that the needs of your own company come first. Don’t be afraid to ask a lot from your vendor and drive a hard bargain when it comes to price and performance.
Regularly review performance – Be wary of partners who become too embedded in the organization resulting in poor performance to go unnoticed. It is important to guard against this by regularly reviewing vendors and addressing issues as they arise. If at any time a trusted vendor cannot deliver, don’t be afraid to request proposals from other sources.
We just published a terrific case study of a real-life example of a large company who valued strategic partnerships enough to completely rethink the way they measured their IT service provider. They reduced costs by over $100 million while increasing scope of services, aligning service delivery to business impacts, and improving end-user satisfaction. And here’s the kicker: They did it with their incumbent service provider and both parties are thrilled with the results. Learn how strategic partnerships helped them achieve this by clicking here to download Negotiating Better Solutions with IT Partners.