Extending the reach of GRC into Cyber
Why Businesses Struggle With CyberSecurity Assurance
In a five part thread Caveris outlines why organisations struggle with Cybersecurity Assurance, due to, in part, lack of visibility of basic security controls, over reliance of manual processes and poor control governance.
Mike Bohnel former security officer, Deutsche Bank, Founder of Caveris Cyber Assurance.
Whilst business has little influence over the information security risks they face in conducting their business activities and even less influence over cyber criminality they do have complete control over how they manage and protect their information assets. However, it is abundantly clear that a large number of businesses need significant help in this exercise. The accelerating pace of technology advances together with an insatiable appetite from consumers is driving many businesses into areas that they are ill-prepared to operate in.
Research carried out by Verizon & Ponemon has clearly identified 5 key security threats facing businesses today:
Inconsistent application of basic security controls
Lack of meaningful and actionable information to support decision making process
Failure of IT & business teams to collaborate
Reliance on manual processes to manage security
Shortage of skilled resources across IT and the business to support InfoSec
Managing security is an ongoing process that evolves and changes over time in line with the ever-changing threat model. Businesses are subject to increasing and ongoing demands to compete which mandates agility and flexibility to adapt at short order. These demands are exacerbated with pressures to also provide services or products at more competitive price points. The effective enforcement of security can only ever be based upon structure, consistency and rigour all of which are not necessarily easily aligned with business and technology operations staff often struggling to keep the lights on.
Businesses continue to face unprecedented levels of risk associated with threats to their information assets. Barely a day goes by without hearing a report of a new data breach, cyber-attack or phishing campaign. The threat landscape has clearly evolved, with new threats emerging all the time that threaten the security of organisations around the world. There’s little doubt that cybercrime will continue to dominate the headlines for years to come. As cybercriminals become more sophisticated and devious in their attack methods, organisations will need to ensure they have robust systems in place to defend against these evolving threats.
Having the ability to dig deeper into the technology controls, automate manual attestations and audit compliance to standards all at a highly granular level, to know (not just hope or assume) that your controls are working, are being rigorously applied and have the evidence to prove it and report on it is the only way anyone involved (and we are all involved) in managing cyber risk will be able to sleep at night….