To bridge the gap between governance, risk and compliance (GRC) and IT security, organizations must adopt best practices that include automation, raising awareness and documentation, a panel of Industry professionals told an audience Tuesday at SC Congress New York.
Compliance professionals often learn about potential threats from media reports or government regulators, said Paul McCulloch, chief executive officer (CEO) at Helm Solutions speaking on a panel on Tuesday. McCulloch, the former global chief of cyber and tech compliance at JPMorgan Chase, said that it is "more difficult for someone in compliance to learn understand security" than vice versa. He advocates automating compliance as much as possible. "You can't train staff on everything," he said.
Manual solutions also lack the ability to effectively document security incidents, said Amy Mushahwar, counsel and CISO, ZwillGen. "Tools that automate compliance help get legal into the picture faster," she said.
Some companies have increased the ability for individual managers to sign off on specific risk scenarios. Mushahwar called this trend "disturbing" because cumulated risk is a significant security challenge for many companies.
Kenneth Brancik, CISO at Mount Sinai Health System, said a lack of best practices for threat modeling analytics is a challenge for many companies. "We need to focus on the threat modeling process, as opposed to the response time once a breach occurs," he said.
Compliance traditionally has been "principally reactive, not proactive," McCulloch said, suggesting that the paradigm needs to "lead with technology."