Demonstrating InfoSec Due Diligence
Just last week Andrew Mallaband from Breakthrough Moments and a member of our Advisory Board published a post on LinkedIn sharing some key findings from our recent customer interactions and I wanted to share the commentary from his article.
Over the last month I have been on the road with the founders from Caveris learning about the challenges organisations face in managing their InfoSec compliance and it is very clear to me that there is a latent need for software that can cost effectively orchestrate and automate the process in this space.
There is clearly a growing appreciation of the importance of managing compliance, and all of the organisations I met have either implemented or are implementing frameworks like ISO27001. While this is a great step forward in helping organisations to bring more rigour and order to their information and cyber security processes they often fall short because the mechanisms that they utilise to orchestrate their governance, risk and compliance (GRC) process are still very primitive.
Many organisations I spoke with are still using spreadsheets as the foundation to track status and record the evidential proof of compliance across all of their security controls. Even in a small organisation that adopts the ISO27001 framework there may be hundreds of controls and thousands of individual control instances that must be tracked, across technology platforms, HR, business operations and 3rd party suppliers where there are potential risks that should be subject to due diligence in order to maintain Information & Cyber Security compliance.
For each control instance a set of scheduled validation checks are performed which are often delegated to security, IT, HR and business operations personnel to execute. The results of these checks must be recorded, typically in spreadsheets, which may reference other documents, to provide evidential proof that the control in question is compliant or non compliant. In situations of non compliance, risks must be documented and remedial action must be taken.
All of this results in a lot of work for people across the organisation with potential for the integrity of the process to breakdown because people do not always follow through on what they were supposed to do, for whatever reason.
Because of the retrospective nature of this approach it is also not uncommon that security risks go unnoticed creating windows of time where organisations are exposed to data breaches. Simple but common examples cited were situations where employees leave the organisation but their accounts have not been deleted or a security vulnerability in a system exist but the relevant patches have not been applied. These can be classified as unscheduled events and ideally they should be captured in real time so that remedial action can be taken immediately to eliminate the risk that they pose. The evidential proof of remediation should also be recorded.
All of the organisations I spoke with acknowledged that they did not have a consistent approach in this regard across all of their controls and there was a lot of room for improvement.
All in all from what I heard if the organisations I met could take a more holistic and systematic approach to information & cyber security GRC they would be in a better place to continually improve their security posture leaving them less exposed to cyber attacks and the potential business consequences that may result such as IP loss, loss of customers and revenue, regulator fines and the potential negative impact on their companies valuation. They could also free up a lot of valuable human resources from the drudgery of low level activities that have to be performed manually today.
Many organisations highlighted in our discussions that there are already a large number of GRC toolsets in the market that provide workflow, collaboration and reporting these are typically focused on orchestrating processes based on human attestation. While this might bring more order and consistency to their process there was a desire to go beyond this and also automate low level activities such as compliance checks and remediation in the technology layer, as described earlier. These capabilities are clearly critical to bring more rigour and consistency to the process because the threat landscape is changing on a daily basis.
I also heard from many organisations that the GRC solutions they had considered were also extremely expensive to license and require significant investment of skilled resources to provision and operate, making the business case to invest challenging for the majority of organisations.
Having a cost effective solution that is simple to deploy, can deliver immediate value and combines the ability to automate processes where ever possible is critical in scaling out an effective InfoSec GRC strategy.
If you trying to tackle these issues and would like to learn more about how Caveris is bringing new innovation to the space to make what I described a reality feel free to reach out.