In response to the headline breaches plaguing organizations across the globe, there have been numerous solutions and recommendations that have gained popularity in the fight to combat cyber-crime. New security appliances, 24×7 network monitoring services and red team assessments are a few of the solutions being discussed among IT leadership and the cybersecurity services community. While each of these solutions plays a crucial role in strengthening the cyber resilience of organizations, their efforts are often futile if the appliances are not being used correctly or if vulnerabilities are not remediated properly and expeditiously.
So, the question becomes, how do you manage your security program and ensure that your organization is following the proper processes, policies and procedures? The best way to do this is with an effective, cyber-centric IT Governance, Risk and Compliance (GRC) program.
Unless I’m talking with internal audit leaders, I’m often asked “What is IT GRC?” A closer look quickly reveals that the concepts covered by this acronym encompass topics that keep CIOs and CISOs awake at night — at organizations of all sizes, in all sectors.
An effective IT GRC program delivers sustainability, consistency, efficiency and transparency through execution in strategic alignment, value delivery, risk management, resource management and performance management. Each of these domains are vital to the success of an enterprise’s IT effectiveness, however in today’s cyber threat landscape, it is imperative that an organization’s Risk Management Program sufficiently addresses modern cyber risks.
An effective Cyber Risk Management Program is an organization’s first defense from becoming the next headline breach. An IT audit or security assessment only delivers value if proper remediation steps are taken and supported by the board and senior management. An effective cyber-centric IT GRC program can facilitate the remediation and prevent future weaknesses.
Here are ten questions to consider which an IT GRC program will facilitate:
- What are our objectives related to the confidentiality, integrity and availability or our systems and data?
- How do we establish, maintain and approve cybersecurity objectives that support achievement of the organization’s business objectives?
- How do we establish, maintain and communicate integrity and ethical values to support the Cybersecurity Risk Management Program?
- How is the board of directors engaged in the oversight of the organization’s Cyber Risk Management Program?
- Have we established effective cybersecurity accountability and reporting lines?
- What are our cyber risks based on the nature of our business operations, our principal products and services, and our distribution channels?
- What types of sensitive information do we create, collect, transmit, use or store? Where is our sensitive information stored?
- What factors have a significant effect on our inherent cybersecurity risks, including the characteristics of technologies implemented, use of third-party service providers, and delivery channels used by the organization; organizational and user characteristics; and environmental, technological, organizational and other significant changes?
- How do we conduct ongoing and periodic evaluations of the operating effectiveness of cybersecurity control activities?
- How do we evaluate and communicate cybersecurity threats, vulnerabilities and corrective measures to management and the board of directors?
While an effective, cyber-centric IT GRC program will not prevent all cyber incidents, incorporating these 10 areas will better position your organization – away from being the “gazelle at the back of the herd,” in constant attack from cyber criminals.