Compliance is a topic that is at the forefront of conversations in the technology world. With new data storage and management requirements surfacing on a regular basis and the surge of cybersecurity incidents, organizations of all sizes are looking for ways to implement more of the rigorous compliance requirements released by the federal government and other governing bodies.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently released a document on Cybersecurity and Resilience. They’ve broken out their observations and recommendation into the following salient topics:
- Governance and risk management
- Access rights and controls
- Data loss prevention
- Mobile security
- Incident response and resiliency
- Vendor management
- Training and awareness
In this post, we will dig a bit deeper into the first topic of governance and risk management to understand how and why this applies to your organization.
At Coretelligent, we often say that IT is about people first and technology second. It’s no coincidence that OCIE begins their observations by calling out the importance of having executive decision makers actively participating in the compliance conversation and setting the tone for the organization. When we see breaches, they often occur within organizations where leaders were dismissive of efforts to secure their technology. When senior managers don’t see the value of security, the attitude is passed through the company and the result is often a costly loss of productivity or worse. Conversely, we rarely see security issues in organizations where the C-suite has embraced security as part of the culture and view it as an essential part of operations.
How do you convince business leaders to become passionate about security? One of the best ways is to help them understand the cost to the organization if a breach were to occur. This could range from individual loss of productivity to a company-wide work stoppage. There is also the potential damage to the company’s reputation which could impair business development and slow growth.
Of course, strong messaging from the top is not enough to protect a company. They must then enact a governance strategy that allows for the identification and mitigation of risk. Through the process of risk assessment, policy documentation, implementation, testing, and repetition, a company can make significant strides in protecting itself and its employees from threats. This process forms the foundation of a company’s cybersecurity posture upon which a strong and comprehensive security program can be built.
How can you effectively assess risk? Work with your IT provider to outline workflows, applications, use cases that occur within (and external to) your organization. These are just a few examples where your IT provider can assist in determining potential risk and then with mitigation:
- Are users frequently traveling outside of the country?
- Are you handling confidential information?
- Are team members installing applications that access corporate data on mobile devices?
- Are team members collaborating with external partners?
Once risks have been identified, you will then create policies that help users understand how to steer clear of those risks and how to respond if an incident occurs. Your IT partner or compliance partner should have a comprehensive list of which policies are needed and can help you create a working draft.
As these policies are created, they must be implemented within a timely manner or you risk becoming non-compliant with government regulations. This may be challenging, as you’ll need buy-in from multiple departments. This is where support from leadership is also critical to success. Staff and contractors must be trained on these policies, with appropriate controls and technology implemented for enforcement. Once the controls are in place, testing and validation should occur to ensure that policies are understood and being followed, and that controls are working as expected. Ongoing training is recommended to ensure that staff members always have the most up-to-date understanding of the threat landscape.
Finally, we get to repetition and iteration. We repeat the process of risk assessment and update the framework as needed. Threats are continually evolving, making it vital to think of this as an ongoing effort and not simply a static event.
Taking a people-first approach at each step helps foster understanding and adoption. Success starts with active participation at the highest level, with clear communication that risk reduction, compliance and process review are not one-time activities – but will require ongoing attention and funding.