Bridging the gap between governance, risk and compliance with IT security would do a great deal to assist in securing organisations as senior management and their boards come to comprehend cyber-risk and the importance of what a CISO deals with every day, delegates were told at the SC Congress NY conference yesterday.
Who is ultimately responsible for signing off at enterprise risk?
Having a technology background gives you the upper hand and the ability to understand how to convey enterprise risk solutions to corporations according to Paul McCulloch, CEO of Helm Solutions. He says it's great to start in tech and grow into the area of compliance.
Compliance may lead to IT professionals to feel bombarded in their work, as explained by Amy Mushahwar, CISO of ZwillGen. From a legal standpoint, “Bringing compliance to the table not only helps you with that dynamic, but they're also creating one heck of a record for negligence.”
“Very rarely do organisations look from the risk perspective with a much wider aperture beyond just looking at IT focus. You really need to do that risk assessment and that control evaluation in terms of how its impact will be for the entire enterprise,” said Kenneth Brancik, CISO of Mount Sinai Health System. The risk is not just centered around IT, it's enterprise-wide.
Is the compliance paradigm changing?
Having automated solutions instead of a human-based system has led to this change, according to McCulloch.
Part of the reason for this is the “lack of ability to effectively document” when they do have an incident, stated Mushahwar. She highly recommends automating incident response solutions as much as possible as well as day-to-day compliance.
“From an analytical standpoint, there needs to be a lot more connecting of the dots. Looking at network security, endpoint security, data protection — lay out each of the layers of the defence mode, identify all the control points that you have,” commented Brancik. He suggests that organisations look at external threats and states, “There is no best practice for threat modeling.”
How do we demonstrate the value of what's happening today?
“It's a real challenge. Some of it is education and maybe in security we need to do a better job of that education in terms of what that value proposition is as an enabler,” commented Brancik.
“Having a very streamlined and well-run change management system, patch management system and IT project management system provides the documentation to make that happen,” stated Mushahwar.
“Compliance is cost avoidance,” said McCulloch. “Documentation and being able to properly identify the controls and outlines is important. If you can have that, then you can actually have a paper you can point to.”